The Protect Cyber Networks Act, a bill that would require companies to share threat information with the government, passed the House with a 307-116 vote on Wednesday. It will now head to the Senate, where it’s expected to pass despite widespread criticism of the bill’s ramifications and lack of clear benefits.
The bill was drafted in response to data breaches at Target, Sony Pictures, and countless other companies. Instead of handling any threats themselves, the bill would require companies to band together and work with the government as part of a renewed effort to protect United States companies from cyberattacks.
Yet the bill’s critics fear that it’s merely a guise for the government’s efforts to preserve — and, indeed, expand — its surveillance efforts more than a year after National Security Agency programs were first revealed to the public. As Wired explains in its report on the bill receiving the House’s overwhelming support:
PCNA’s data-sharing privileges let companies give data to government agencies—including the NSA—that might otherwise have violated the Electronic Communications Privacy Act or the Wiretap Act, both of which restrict the sharing of users’ private data with the government. And PCNA doesn’t even restrict the use of that shared information to cybersecurity purposes; its text also allows the information to be used for investigating any potential threat of ‘bodily harm or death,’ opening its application to the surveillance of run-of-the-mill violent crimes like robbery and carjacking.
A collection of 55 civil liberties groups — including Human Rights Watch, the American Civil Liberties Union, the Electronic Frontier Foundation, and others — have also spoken out against the bill’s broad mandate. Yet this criticism didn’t stop the bill from passing; it merely prompted the addition of a seven-year limit.
But concerns about the bill’s ability to expand the federal government’s surveillance capabilities in the wake of international outrage isn’t the only problem here. Another organization, Congressional Research Service, argues that the government is focusing too much on sharing cyberthreat information:
Entities must have the resources and processes in place that are necessary for effective cybersecurity risk management. Sharing may be relatively unimportant for many organizations, especially in comparison with other cybersecurity needs. In addition, most information sharing relates to imminent or near-term threats. It is not directly relevant to broader issues in cybersecurity such as education and training, workforce, acquisition, or cybercrime law, or major long-term challenges such as building security into the design of hardware and software, changing the incentive structure for cybersecurity, developing a broad consensus about cybersecurity needs and requirements, and adapting to the rapid evolution of cyberspace.
All of which means a bill that at least has the potential to expand government surveillance without an apparent effect on cybersecurity has easily passed the House and is probably going to make its way through the Senate without issue. They should’ve just called it the “Spies Be Spyin’ Act” — at least that’d be honest.
[illustration by Brad Jonas]