As legislators make frenzied efforts to merge three cybersecurity bills into a final document, American Library Association has joined civil liberties groups and privacy advocates in asking lawmakers to reject “new, troubling flaws” in the cybersecurity draft.
The lawmakers hope to submit a final document to President Obama for approval before Congress breaks for the year. Congress is expected to adjourn sometime next week.
The letter (PDF link) called the closed discussions an “undemocratic process,” and said the in-conference legislation “loses any advantages and improvements in the Homeland Security Committee's own cybersecurity bill, the NCPAA (National Cybersecurity Protection Advancement).” The letter signatories also include R-Street Institute, a D.C.-based conservative and libertarian think tank.
According to the groups, the proposed “conference” legislation would: create a loophole, allowing the president to remove the Department of Homeland Security, a civilian agency, as the lead government entity managing information sharing; reduce privacy protections for Americans' personal information; expand the term “cyber threat” to make it easier to prosecute crimes unrelated to cybersecurity; expand broad liability protection for information disclosure; pre-empt state and local disclosure laws on cyber-threat information shared with or by state or local governments; and eliminate a directive to ensure data integrity.
Homeland security committee chairman Rep. Michael McCaul (R-TX) said Wednesday he is pushing for provisions that address privacy issues. A tentative version of the cybersecurity bill has already been submitted to the White House.
Andrew Borene, an advisor with the Truman National Security Project and chairman of the Cyber Security Summit, told SCMagazine.com, “It would be hard to believe that the legislators aren't a little bit in reactive mode to the San Bernardino shootings.”
At an event hosted by the Christian Science Monitor, McCaul said Republicans may lose votes on the government spending bill if the cybersecurity legislation does not include strong privacy protections. “We want DHS to be the lead civilian agency, not the FBI, who can prosecute you,” he said.
In attempts to surveil on terrorist group and US enemies, lawmakers have been pushing for more aggressive surveillance and de-encryption policies. For instance, President Obama said during a televised speech Sunday evening, “I will urge high-tech and law enforcement leaders to make it harder for terrorists to use technology to escape from justice.”
On Wednesday, Senate intelligence committee vice chairman Sen. Dianne Feinstein (D-CA) said during a FBI oversight hearing that she would seek legislation requiring companies to decrypt data under court order. Also, Republican presidential candidate South Carolina Senator Lindsey Graham said n Wednesday night that tech companies should change the practice of encrypting user data, to make it easier for companies to comply with government requests for customer information.
Industry researchers say these policies would fundamentally weaken internet security. In speaking with SCMagazine.com after the terrorist attacks in Paris last month, Yehuda Lindell, Dyadic Security co-founder and chief scientist, warned about the prospect of government backdoors and de-encrypting technologies. He warned that once back doors are created for use by government authorities, it is much easier for hackers to access sensitive information by hacking the key to back doors.
In an email sent to SCMagazine.com, RSA president Amit Yoran warned that the most pervasive threat actors make use of “multiple backdoors to assure persistence.”
Lindell said the idea that only law enforcement authorities would use de-encrypted information is “completely naive.”