Of the bills that passed the House, H.R. 3523, the Cyber Intelligence Sharing and Protection Act (CISPA), has attracted the most concern. The bill is currently in the Senate waiting review by the Intelligence Committee. It would revise the National Security Act to have the Director of National Intelligence set up information sharing procedures for cyber threat intelligence between private-sector entities and the intelligence community. Finding the proper balance between cyber security and privacy interests is one of the concerns expressed over the bill, and is a theme in the statement USACM released today. Noting that the benefits of increased information sharing need not come at the expense of increased privacy risks, USACM identified the following concerns with the legislation:
- The use and retention of personally identifiable information (PII) should be limited to the stated purpose of the legislation.
- The bill needs additional guidance on when PII could reasonably be cyber threat information.
- Restrictions on the use of PII in the current bill are relatively narrow.
- Shared information that is later determined not to be cyber threat information should be deleted.
- There are insufficient standards in the bill for oversight and/or control of shared information.
How quickly the Senate will take up CISPA is unclear. They are currently trying to work out a compromise on its own legislation, and may bring a bill to the full Senate sometime this month. Whether or not CISPA will be incorporated into the Senate legislation at that time, or considered separately is unclear.