The latest version of the Cybersecurity Information Sharing Act purportedly protects companies from liability and individuals from government intrusion.
The Senate Select Committee on Intelligence on March 13 advanced a cybersecurity information-sharing bill by a vote of 14-1. The bill is Congress' latest attempt to find a way to give private-sector network operators liability protection when they share cyberthreat information with government.
The Cybersecurity Information Sharing Act of 2015 was marked up and amendments added during a closed session of the committee, but it's not clear yet how the bill passed in committee measures up with the discussion drafts. According to the committee, the bill gives the private sector incentives to cooperate with governmental cyber defenders via a portal set up by the Department of Homeland Security.
"This bipartisan legislation is critical to securing our nation against escalating cyber threats," said Sen. Richard Burr (R-N.C.), the committee's chairman. "I'm pleased CISA will advance to the Senate floor, where it will enjoy support from both sides of the aisle. The bill we passed today is overdue and will enable our agencies and institutions to share information about cyberthreats while also providing strong privacy protection for our citizens."
Congress has been here before. When the Senate was controlled by the Democrats, differences between the parties on privacy and civil liberties repeatedly stalled cybersecurity legislation. The White House has been acting administratively to establish some information-sharing protocols, most recently through an executive order issued in February and the creation of a Cyber Threat Intelligence Integration Center under the auspices of the Office of the Director of National Intelligence.
But as large-scale attacks against private networks -- such as those directed at Anthem, Sony and Target -- become increasingly common, there is growing pressure on Congress to include liability protections in the cybersecurity rulebook.
CISA establishes DHS as the pivot point for information sharing. The agency is charged with setting up a mechanism to receive threat indicators from network operators, including machine-to-machine transmission of threat information on a real-time basis. The draft legislation also includes plans for government to share classified and other non-public threat information with "cleared representatives of relevant entities."
Government-to-industry sharing is already taking place on a limited basis via a program aimed at protecting defense contractors' networks.
Sen. Ron Wyden (D-Ore.), the lone dissenter on the intelligence committee, said the information-sharing provisions in the bill are not balanced by language that preserves the privacy of Americans whose personally identifiable information could be included in private-sector reports to government and, therefore, obtainable by law enforcement and intelligence agencies without a warrant or other legal instrument.
"If information-sharing legislation does not include adequate privacy protections, then that's not a cybersecurity bill -- it's a surveillance bill by another name," Wyden said in a statement after the committee passed the bill.
However, Committee Vice Chairwoman Sen. Dianne Feinstein (D-Calif.) said the bill has benefited from amendments proposed by Democrats to expand privacy protections. Under those amendments, sharing would be conducted on a voluntary basis, only data on strictly defined cyberthreat indicators would be shared, and the government would be allowed to use the data only for specific purposes, including investigating and preventing crimes.
The bill also purportedly would not give intelligence agencies the authority to access threat information in real time.
"The robust privacy requirements and liability protection make this a balanced bill, and I hope the Senate acts on it quickly," Feinstein said.
The intelligence committee is not the only Senate panel with jurisdiction in this area. Sen. Tom Carper (D-Del.), ranking member of the Senate Homeland Security and Governmental Affairs Committee, has introduced a cyber information-sharing bill based on a White House proposal.
However, HSGAC Committee Chairman Sen. Ron Johnson (R-Wis.) said he was backing the intelligence panel's effort. "If we can get that bill passed, that'd be a good thing," he said.
Such jurisdictional amity apparently hasn't found its way to the House, however, where the Homeland Security Committee and the Permanent Select Committee on Intelligence are holding hearings and preparing cybersecurity legislation along separate tracks.