DHS unveils privacy guidelines for cyber sharing law

The Department of Homeland Security (DHS) on Tuesday released interim guidelines for how the government will protect and share data gathered under a new major cybersecurity law.

It's the first of several steps meant to assuage fears that the Cybersecurity Act of 2015 — which encourages companies to share hacking threat information with the government — will simply shuttle more personal data on Americans to intelligence agencies.

ADVERTISEMENT
“We know many cyber intrusions can be prevented if we share cyber threat indicators,” said DHS Secretary Jeh Johnson in a statement.

Congress passed the Cybersecurity Act in December, with Obama signing the bill just before the new year.

Supporters — including most lawmakers and many industry groups — said the measure was necessary to help both government and businesses better understand and combat hackers.

In his statement, Johnson argued that the public and private sector could benefit from swapping information such as “the subject line of a spear phishing email, or the IP address of the computer from which it originated.”

“Sharing this kind of information in real-time, and swiftly applying defensive measures, will allow both the government and private sector to more effectively prevent attacks,” he added.

But the bill garnered significant criticism from privacy advocates, civil libertarians and some tech companies while it was being debated on Capitol Hill. These opponents said the measure’s privacy provisions would not stop large troves of personal data from being handed over to the government.

In response to these criticisms, the bill required the DHS to publish guidelines on how officials would handle, secure and disseminate to federal agencies information collected under the new law.

While the agency has until June to complete the final privacy document, the bill directed the DHS to release the interim guidelines to give time for outside input.

"We welcome feedback from privacy advocates and private sector participants," Johnson said.

The DHS on Tuesday also released instructions for companies on how to best share cyber threat data with the government.

“I encourage companies to work with DHS to set up the technical infrastructure needed to share and receive cyber threat indicators in real-time,” Johnson said. “Today’s guidelines provide the private sector with clear guidance on how to participate and what to expect.”