A modest response to a real cyberthreat
"Omnibus Funding Bill is a Privacy and Cybersecurity Failure," the Open Technology Institute declared on Dec. 16. "Last-Minute Budget Bill Allows New Privacy-Invading Surveillance in the Name of Cybersecurity," the Intercept blared. Why did Congress, in its massive year-end budget deal, slip in a measure that Gizmodo once called "the worst privacy disaster our country has ever faced"?
Because it's not. The Cybersecurity Act of 2015 is in fact a modest cybersecurity information-sharing law that tech alarmists in need of an outrage have painted as a grave threat to liberty. What these critics often fail to explain clearly is that the law is meant to clear hurdles for companies to share information on cyberthreats with the government - voluntarily. Among other things, the critics complain that the measure doesn't require the government to obtain warrants for the information. That's nonsensical, because the law does not call for coercive government data collection.
Moreover, the measure contains privacy protections, calling for personally identifying data to be scrubbed from the information companies send to the government and limiting how federal agencies can use the information. There are narrow exceptions to the privacy restrictions involving things such as responding to a threat of serious bodily harm or the exploitation of a minor. Critics also fret that the law could lead to information going from private companies directly to the National Security Agency. In fact, the act designates the civilian Department of Homeland Security to serve as the hub for cybersecurity information reporting. President Obama opposed earlier versions of the measure out of privacy concerns. After the addition of privacy safeguards, the White House supported it and has now signed it.
The reality is that the data and privacy of Americans are already seriously at risk from an onslaught of cybertheft, intrusion and disruption, some of it by foreign governments and some not. The consequences: Millions of people have suffered the loss of credit card and personal data; corporations and other organizations have lost billions of dollars in intellectual property; sensitive networks of the U.S. government have been compromised.
The country remains at risk. Most of the nation's networks are in the private sector, but the government has sophisticated tools needed to detect and fight intruders. The government and business need to work together. Congress has been dragging its feet for more than three years on this question of information-sharing, in part because the libertarian-minded online privacy activists rancorously oppose even baby steps that involve government action. This legislation is not a panacea for all cybercrime and disruption, but it should enable a long-overdue process of business-government cooperation.
The act should be measured "against the daily invasion of our privacy by these hackers," Rep. Adam Schiff, D-Calif., told the Associated Press. "Those who believe that (the) perfect should be the enemy of the good have to justify how they're willing to accept rampant hacking into our privacy and do nothing about it." We couldn't agree more.
This story was originally published December 29, 2015 at 12:00 AM with the headline "A modest response to a real cyberthreat ."