At the end of April 2015, the Protecting Cyber Networks Act (PCNA) was officially passed by the US House of Representatives with a 307-116 vote. Created to encourage cybersecurity threat data sharing in between private sectors and the government, like many acts it “means well” but comes with plenty of critics and concerns. President Obama had already signed the executive order for the PCNA in February, so the passing wasn’t much of a surprise, particularly after 2014—or the “year of the hacks and breaches” according to many. In particular, the notorious Sony attack was cited as a reason for the PCNA and it has many feeling a little safer as hacks, breaches and other threats continue into 2015.
However, according to critics this is just another means of “spying” on citizens and will offer the NSA and easier route to do so. There was plenty of hubbub over the NSA’s tactics last year, with critics saying not only is it potentially illegal, immoral and unethical, but it’s also costing cloud providers a whopping $500 million each year (or more). Plus, it’s rumored that it’s standing in the way of internet business deals between the US and EU since the EU doesn’t want to be put under the same type of microscope.
The Fine Print
It’s important to note that in the bill itself, there’s nothing that says only cybersecurity threats can’t be shared. Specifically, some who had pored over the bill point out that the PCNA could be used as an excuse to dig into any alleged “bodily harm or death” threat, which might rope law enforcement agencies into the mix. There’s a lot of data sharing made legal by the PCNA that otherwise would have never passed muster since it directly flies in the face of the “Wiretap Act” (Electronic Communications Privacy Act), which was designed to stop the government from tapping private information.
There is some research showcased in The Whir which addresses if threat sharing is even a good way to stop threats—regardless, the government has spent over $14 billion on such initiatives. Of that, $227 million has been earmarked for creating a civilian’s “cyber campus” where the sole purpose is to exchange data on “cyber threats.” There is a joint letter created by 55 security experts and civil liberties groups which states, “PCNA would significantly increase the National Security Agency’s access to personal information, and authorize the federal government to use that information for a myriad of purposes unrelated to cybersecurity.” Those 55 entities who signed the letter include the Freedom of the Press Foundation, American Civil Liberties Union and more.
What Comes Next?
These 55 experts aren’t alone, and many civilians are mimicking their concerns. “The revelations of the past two years concerning the intelligence community’s abuses of surveillance authorities and the scope of its collection and use of individual’s information demonstrates the potential for government overreach, particularly when statutory language is broad or ambiguous.” They point out that the act doesn’t offer strong enough protection for privacy, nor do they actually clarify exactly what can be done, the information that is being shared and how it will ultimately be put to use by the government.
However, the government is standing by its decision. The leader of the bill, Congressman Adam Schiff, says privacy protection is top priority with the bill. The White House has also officially supported the bill, but privacy advocates are still hopeful that President Obama will offer a veto—though that is very unlikely.