Want To Know Why DHS Is Opposing CISA? Because It's All A Surveillance Turf War

from the it's-not-what-you-think dept

The authorization to share cyber threat indicators and defensive measures with “any other entity or the Federal Government,” “notwithstanding any other provision of law” could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers. (This concern is heightened by the expansive definitions of cyber threat indicators and defensive measures in the bill. Unlike the President’s proposal, the Senate bill includes “any other attribute of a cybersecurity threat” within its definition of cyber threat indicator and authorizes entities to employ defensive measures.)

The Administration has consistently maintained that a civilian entity, rather than a military or intelligence agency, should lead the sharing of cyber threat indicators and defensive measures with the private sector. The National Cybersecurity Protection Act of 2014 recognized the NCCIC to be responsible for coordinating the sharing of information related to cybersecurity risks and to be the federal civilian interface for multi-directional and cross-sector sharing of information about cybersecurity risks and warnings. The NCCIC has representatives from the private sector and other federal entities involved in cyber information sharing, from those with whom we have an agreement and share consistently, to those that passively receive information from the center.



Equally important, if cyber threat indicators are distributed amongst multiple agencies rather than initially provided through one entity, the complexity–for both government and businesses–and inefficiency of any information sharing program will markedly increase; developing a single, comprehensive picture of the range of cyber threats faced daily will become more difficult. This will limit the ability of DHS to connect the dots and proactively recognize emerging risks and help private and public organizations implement effective mitigations to reduce the likelihood of damaging incidents. DHS recommends limiting the provision in the Cybersecurity Information Sharing Act regarding authorization to share information, notwithstanding any other provision of law, to sharing through the DHS capability housed in the NCCIC. This would not preclude sharing with any federal entity (indeed, DHS maintains an obligation to share rapidly with federal partners independent of any legislation), and it would further incentivize sharing through the NCCIC.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

As it appears that the fake "cybersecurity" bill CISA is heading to a vote in the Senate, some were surprised this week to see the Department of Homeland come out against the bill with a letter expressing concerns that the bill "could sweep away important privacy protections" with its open ended definitions and provisions:This has led to some surprise among people who don't follow this that closely, that "even Homeland Security" doesn't like the bill. But that's really ignoring history and what this fight has always been about. Going back many, many years we've been highlighting that thebehind all of these "cybersecurity" bills is that it's little more than a bureaucratic turf war overfor thethat will be lavished on government contractors for "cybersecurity solutions." That the bill mightboost surveillance capabilities is little more than a nice side benefit.The key players in this turf war? The NSA and Homeland Security (with the Justice Department occasionally waving its hand frantically in the corner shouting "don't forget us!"). From the beginning, one of the key questions people have asked is "who gets the data?" Obviously, "none of the above" is probably the best answer, but of the remaining options, Homeland Security tends to beoption out of a list of three really bad options. And, so far, the White House has repeatedly pushed to put DHS in charge, giving it more power over the budget. However, CISAput DHS in charge.Sois why DHS is complaining. Yes, the "privacy" concerns are there, but DHS's true concern is that it's not DHS running the show (and controlling the budget). Reread the DHS letter with this as background, and it appears a lot more understandable:There's a lot more like that in the letter as well.Don't get me wrong. Having DHS come out against CISA and speaking out about the privacy concerns the bill raises. But don't think that DHS is against these kinds of "information sharing" bills at all. It is not. It just wants to make sure that it's the queen bee when it comes to who's in charge of cybersecurity information... and, with it, who gets to control the budget.

Filed Under: cisa, cybersecurity, dhs, dod, doj, homeland security, nsa, privacy, turf war