Last Thursday, the House Intelligence Committee held a hearing that focused on the Cyber Intelligence Sharing and Protection Act (CISPA)—the reintroduced privacy-busting cybersecurity bill from last year that would allow the private sector to share Americans' private information with the government, including agencies within the Department of Defense (DoD), such as the National Security Agency (NSA).
Despite failing to include a single privacy expert, the hearing returned to privacy and civil liberties issues repeatedly. Interestingly, corporate representatives—perhaps to the surprise of CISPA's sponsors—said repeatedly that the private sector generally does not need to share Americans' personally identifiable information (PII) with the government to advance cybersecurity. For example, Rep. Mike Thompson, D-Calif., questioned a witnesses on how to amend CISPA to protect PII. The witness, Paul Smocer from the Financial Services Roundtable, replied that "the kind of information we're talking about sharing here seldom, if ever, actually does contain any private information." He also added that he'd be "willing to work with" Thompson to improve CISPA's privacy protections.
Rep. Adam Schiff, D-Calif., then followed up with similar privacy concerns, asking whether it would be an "insurmountable burden for the private sector to have to take reasonable steps to minimize [PII]." Smocer again said that "there is very little private data, PII, being exchanged today in the threat information world," and that he didn't "think it would be an issue to make sure that we're doing it the right way." Ken DeFontes, president of Baltimore Gas and Electric, added "I think it's an absolute necessity." And John Engler, president of the Business Roundtable, echoed their sentiments, saying "I think it's exactly fine."
Despite this, the bill's sponsors, Reps. Rogers, R-Mich., and Ruppersberger, D-Md., crafted CISPA to immunize companies from liability for sharing private information like internet records, communications content, and identifying information. The bill sponsors also tried to establish that the government, and not the private sector, is best positioned to anonymize data—but the witnesses would not change their answers. Smocer said that companies are in the best position to protect customer data, that the added cost wouldn't be a deterrent, and reminded everyone how infrequently PII needs to be shared in the first place. Kevin Mandia, the panelist representing the cybersecurity industry, enthusiastically agreed with Smocer, stating that "in 20 years of doing cybersecurity…[he's] never seen a package of threat intelligence that's actionable that also includes [PII]."
Rogers and Ruppersberger argue their bill strongly protects privacy, assuring everyone that the private sector will just be sharing 1's and 0's—no PII. And industry is now on the record stating that companies do not normally need to share PII with the government. This raises the question: If sharing this information is so unnecessary to the cybersecurity mission, why not just explicitly build that protection into the bill?