On Cybersecurity, Thune Wants Immunity for Companies Surveil, Share Data, and Play InfoCop

Senator John Thune worries about opposition from left and right on the Cybersecurity Information Sharing Act of 2015. Screen cap from KELO-TV, 2015.09.03.
Senator John Thune worries about opposition from left and right on the Cybersecurity Information Sharing Act of 2015. Screen cap from KELO-TV, 2015.09.03

Senator John Thune held a field hearing of the Senate Commerce, Science, and Transportation Committee at Dakota State University in Madison on Thursday, September 3. (Thune was the only Senator present, but that’s all a Senate committee needs to take testimony and look busy during recess.)

Cybersecurity is a real problem. SDN Communications president Mark Shlanta testified that his company observed 4,500 threats against its customers in one year. To combat that problem, Senator Thune is supporting the Cybersecurity Information Sharing Act of 2015, which would give companies more freedom to share information about attacks with the government… and you less freedom to keep your data private:

Senator John Thune will vote in favor of the Cybersecurity Information Sharing Act when it goes before the Senate this month.  Thune says the bill will simply remove the legal and liability companies face now in sharing information about the threats.

…The bill exempts companies like SDN and others from anti-trust laws for sharing threat information with competitors and stops customers from suing if their information is turned over [Angela Kennecke, “Protection vs. Privacy,” KELO-TV, 2015.09.03].

Senator Thune admits there is opposition to the Cybersecurity Information Sharing Act, but he dismisses that opposition as coming from extremists:

“The response doesn’t follow your traditional party lines,” Thune said. “You’ll have an alignment of the people on the far left and the far right.”

Thune said persons on the left are often concerned about personal liberties, while right-wing libertarians have concerns about the size of federal government and how much authority it should hold [Chuck Clement, “Senator Discusses Security Issues,” Madison Daily Leader, 2015.09.04].

The Electronic Frontier Foundation takes issue with giving companies blanket immunity to hand private information to the government:

The bill also retains near-blanket immunity for companies to monitor information systems and to share the information as long as it’s conducted according to the act. Again, “cybersecurity purpose” rears its overly broad head since a wide range of actions conducted for a cybersecurity purpose are allowed by the bill. The high bar immunizes an incredible amount of activity. Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and potentially the Computer Fraud and Abuse Act would be precluded or at least sharply restricted by the clause. It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information. It’s also unclear because we continue to see companies freely share information among each other and with the government both publicly via published reportsinformation sharing and analysis centers, and private communications [Mark Jaycox, “Senate Intelligence Committee Advances Terrible Cyberscurity Bill Surveillance Bill in Secret Session,” Electronic Frontier Foundation, 2015.03.19].

EFF also contends that CISA grants private companies too much authority to launch surveillance and counterattacks against citizens without due process or a warrant.

Senator Al Franken shares EFF’s concerns, citing a letter from Homeland Security stating that CISA could “sweep away important privacy protections.” The bill Senator Thune backs would also complicate cybersecurity by allowing companies to share threat information with any government agency:

The DHS, in its letter, doesn’t merely knock CISA for incomplete — at best — privacy guard rails, but also that the idea of sharing “cyber threat indicators […] among multiple agencies,” instead of through “one entity” will lead to more “complexity” and “inefficiency” for both the public and private sectors. That’s to say that if you fire all the data into every corner, it tends to pile up and bury the stuff you might have needed [Alex Wilhelm, “Department of Homeland Security Highlights Privacy Concerns in Senate Cybersecurity Bill,” TechCrunch, 2015.08.03].

Senator Franken can’t support a bill that reduces privacy and our cybersecurity:

“I think all Americans have a fundamental right to privacy—and it’s especially important in light of advancing technologies that continually threaten to outpace our laws,” said Sen. Franken, who is the top Democratic Senator on the Judiciary Subcommittee on Privacy, Technology, and the Law. “The Department of Homeland Security’s letter makes it overwhelmingly clear that, if the Senate moves forward with this cybersecurity information-sharing bill, we are at risk of sweeping away important privacy protections and civil liberties, and we would actually increase the difficulty and complexity of information sharing, undermining our nation’s cybersecurity objectives” [Senator Al Franken, press release, 2015.08.03].

Senator Thune may keep chanting that anyone opposing him is an extremist. We could page Barry Goldwater, or we could just ask Senator Thune what’s so extreme about (1) expecting government, not private vigilantes, to take care of law enforcement, (2) asking that he take our Fourth Amendment rights against warrantless searches and seizures as seriously as he takes the Second Amendment, and (3) asking for policy that makes cybersecurity better, not worse.


13 Responses to On Cybersecurity, Thune Wants Immunity for Companies Surveil, Share Data, and Play InfoCop

  1. Tehran John, the traitor, wants to find a way to suppress even more lawful citizens of America. Again, name one thing Tehran John has done for South Dakota since he has been elected.

  2. mike from iowa

    The only securities Marlboro Barbie cares about is secure campaIgn donations from Korporate amerika owners and his security is bought by securing korporate amerika from lawsuits.

  3. All I see from both Thune and Franken are talking points in the clips Cory borrowed. Cybersecurity is a serious issue for the government, for companies, and for individuals. How about some specifics as to what the bill actually does and why it is written as it is, and some specifics from opponents as to how the bill should be changed to protect individual privacy while still providing for the protection of electronic data. Why is everybody talking like the language is written in stone and you have to be either for it or against it as is?

  4. Apple knew what Tehran John was thinking before he even said a word. http://www.huffingtonpost.com/entry/apple-hiring-artificial-intelligence-experts_55eedb77e4b093be51bbf94b

    Artificial intelligence is exactly the term I would use describing Tehran John. What has he ever done for South Dakota as an elected official? Bueller…Bueller..

  5. mike from iowa

    Here is a snippet of Marlboro Barbie’s talk where he apparently goes off message and describes the wingnut party- And these people have the skills to inflict great economic damage.”

  6. Another action by our idiot stick senator to take our rights away. Companies need to be responsible for keeping the information they require safe.

    Call Apple for Security – I hear they have never been hacked. If true the platform is available to keep all data safe. What is the issue hear? Is it Apple will not share data with law enforcement?

    Hopefully we get a candidate that can send him back to Presho.

  7. Douglas Wiken

    But of course you know that John knows just who is guilty and not, and of course, if you are not guilty, you have nothing to fear….if you never use a phone or email and deliver all your mail by hand to the receiver yourself…oh, and be careful of what books you read …and never, ever use a credit card. Sleep tight with your doors locked and an escape route in mind just in case your front door gets smashed with a battering ram when they get the wrong address for the raid.

  8. If you like, Rohr, here’s the full text of the bill. Let’s look at the definition of “cybersecurity threat”:

    Except as provided in subparagraph (B), the term “cybersecurity threat” means an action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system.

    (B) EXCLUSION.—The term “cybersecurity threat” does not include any action that solely involves a violation of a consumer term of service or a consumer licensing agreement.

    I suppose one could argue vagueness in the “may result” and the breadth of the possible impacts.

    (13) MALICIOUS RECONNAISSANCE.—The term “malicious reconnaissance” means a method for actively probing or passively monitoring an information system for the purpose of discerning security vulnerabilities of the information system, if such method is associated with a known or suspected cybersecurity threat.

    Hmmm… so does “passively monitoring” include activities by white-hat watchdog groups who may suspect weakness in certain systems of public interest?

    I am interested by the point Homeland Security itself is making. CISA seems to be walking us away from the logic that led to Homeland Security, that we needed to bring all of our threat detection and response agencies under one roof for better protection. Isn’t CISA spreading things out again… or is DHS just trying to protect its turf?

  9. No profit grubbing private entity should ever receive immunity for their crimes. If they want their profits; then do not commit the crimes.

    psst, Sam2, it’s worse . . . Murdo, jakison kounty.

  10. Great post, Cory. There’s some temporary good news here:
    http://thehill.com/policy/cybersecurity/253001-senate-intel-chair-cyber-bill-not-likely-till-october

    In the meantime, Thune and Noem continue to sponsor this:
    http://dakotawarcollege.com/sd-democratic-blog-claims-police-are-fat-drunken-wife-beaters-who-will-die-early/

    “My response is that whether it’s Brad Ford spouting racist commentary on Gordon Howie’s website, Kurt Evans’ anti-Catholic bigotry, or Larry Kurtz calling cops drunken wife beaters, wrong is wrong, and evil must be challenged.”
    —Pat Powers

    I’d like to challenge evil, Pat, but you block my comments.

  11. Mr. Evans, there are some out there and in here who think you are evil, sir. One evil fellow. With evil ideas. I’m just sayin…

  12. oooooohhhhhhhhh. Jackson county. Murdo. Kadoka. Thune. Wanblee satellite voting needs????

  13. Kurt, thanks for the link! CISA stalled? What gives? John Thune, the third-ranking Republican in the Senate, holds a very important hearing on this very important legislation at very important Dakota State University, and he can’t get his chamber to move on CISA until October at the earliest? Where’s the leadership?