Security experts urge Congress to reject cyber-threat sharing bills

Leading security experts say they can already share cybersecurity information without compromising privacy law.

Sen. Dianne Feinstein, vice-chair of the Senate Intelligence Committee (Image: AP via Senate.gov)

Leading security experts, researchers, and academics have called on members of Congress' intelligence and security committees to "reject" upcoming cybersecurity legislation.

A letter sent this week to five senior senators and congressmen, whose job it has been to oversee and approve the draft bills through their respective committees, warns that new laws are not needed to prevent future attacks.

Security researchers and experts Jacob Appelbaum, Bruce Schneier, and Thaddeus Grugq, among more than 80 others, argue that companies can share cyber-threat data with other firms as well as the federal government without falling foul of existing privacy law.

"Waiving privacy rights will not make security sharing better," the letter reads. "Any bill that allows for and results in significant sharing of personal information could decrease the signal-to-noise ratio and make [indicators of compromise] less actionable."

In simple terms: bundling personal user information with threat data will make it far harder to find the vital clues that can prevent further attacks.

The signatories are specifically asking the lawmakers to oppose three laws, including the controversial Cybersecurity Information Sharing Act (CISA), which will be voted on by lawmakers later this year.

CISA allows private companies to share - with the federal government - data that threatens their systems. The bill has wide-ranging support from Silicon Valley technology giants, which want the bill to succeed. The companies want to prevent future cyberattacks, like those on the scale of Target, Home Depot, and Sony.

The bill last month passed a closed-door session of the Senate Intelligence Committee on Thursday by a 14-1 vote. One senior member of the committee, Sen. Ron Wyden (D-OR), called the draft legislation a "surveillance bill by another name."

"These experts agree that the information sharing bills unnecessarily waive privacy rights because they focus on sharing information beyond that needed for cybersecurity," said Jennifer Granick, director of civil liberties at Stanford University's Center for Internet and Society.

Granick, who represented hacker and researcher Aaron Swartz before his death in early-2013, argued that researchers could already share cybersecurity information without waiving privacy law.

"Otherwise, what Congress will be doing is weakening privacy law and increasing government surveillance at time when the public agrees that stronger privacy and civil liberties protections are needed," she added.