Senate Panel OK's Cyberthreat Info Sharing BillPrivacy Groups Criticize Senate Measure That Industry Backs
The Senate Intelligence Committee, by a 12 to 3 vote, has approved a heavily amended version of the Cybersecurity Information Sharing Act of 2014, which its sponsors say would encourage the federal government and private sector to voluntarily share cyberthreat information.
See Also: 57 Tips to Secure Your Organization
The White House, which had threatened to veto a similar bill, the Cyber Intelligence Sharing and Protection Act, or CISPA, that passed the House last year, has yet to say whether the Senate version meets its requirements to toughen privacy and liability protections.
The version of the bill the committee adopted July 8 will be introduced later this week once the approved amendments are incorporated. (On July 10, the committee issued the official version of the bill, known as S. 2588.)
"To strengthen our networks, the government and private sector need to share information about attacks they are facing and how best to defend against them," says Committee Chairwoman Dianne Feinstein, D-Calif., who co-sponsored the bill with the ranking Republican on the panel, Saxby Chambliss of Georgia. "This bill provides for that sharing through a purely voluntary process and with significant measures to protect private information."
Going into the markup session, which was closed to the public, industry groups praised the legislation while civil liberties and privacy organizations criticized it.
Need for Liability Protection
A letter from the heads of the American Bankers Association, Financial Services Roundtable and Securities Industry and Financial Markets Association, praised the measure as "a very good step forward as it provides liability and anti-trust protections while balancing the need for privacy protection."
Businesses say they need liability protection so they won't be accused of colluding when they share cyberthreat information with their competitors that could open them to anti-trust charges. In its veto threat, the administration contended that CISPA provisions were too broad and could allow businesses to use the excuse of cyberthreat information sharing to share other types of corporate secrets and circumvent anti-trust laws.
One of the Senate bill's provisions would put in place liability protections for individuals and companies that appropriately monitor their networks or share cyber information. It's unclear if this provision addresses White House objections.
Before the vote, the Center for Democracy & Technolgy, a civil liberties advocacy group, issued an analysis of the bill, contending it removed privacy protections that appeared in earlier versions of the measure. It objects to provisions it says could turn the cybersecurity program the bill would create into a back door wiretap by authorizing use of cyberthreat indicators for overly broad law enforcement purposes.
"The committee's description of the amendments that were adopted suggests that the big ticket items remain to be addressed," says Greg Nojeim, senior counsel and director of the center's Project on Freedom, Security and Technology. "Users' communications information will continue to flow to the NSA under a cybersecurity umbrella even when it is irrelevant to a cyberthreat. This is unacceptable."
If enacted as approved by the panel, the Senate measure would:
- Require the director of national intelligence to increase the sharing of classified and unclassified cyberthreat information to the private sector, consistent with the protection of sources and methods.
- Authorize individuals and companies to monitor their own computer networks and those of their consenting customers for cyberthreats and to implement countermeasures to block those threats.
- Allow the voluntary sharing of cyberthreat information by individuals and companies with each other and with the government. Such sharing is for cybersecurity purposes only, and companies must take appropriate measures to protect against the sharing of personally identifying information.
- Require federal government procedures for the receipt, sharing and use of cyber information. This includes the establishment of a portal managed by the Department of Homeland Security through which electronic cyber information will enter the government and be shared with other appropriate federal entities.
- Limit the government's ability to use information it receives to cyber-related purposes to ensure it does not engage in inappropriate investigations or regulation.
- Require reports on the implementation of these authorities by the heads of federal departments, the Privacy and Civil Liberties Oversight Board and relevant inspectors general.
An amendment by Feinstein and Chambliss to further strengthen privacy protections in the bill clarifies authorization language and makes technical changes. It's not clear if these changes would meet the White House call for stronger privacy protections.
"The legislation passed out of committee today is a strong, bipartisan bill that encourages the private sector and the government to share information voluntarily about these threats, without fear of frivolous lawsuits and without unnecessary bureaucratic obstacles," Chambliss says. "The cyberthreats to our nation are all too real. The Senate should take up and pass this bill before the August recess."