The Senate Intelligence Committee on Tuesday approved 12-3 a bill designed to promote the sharing of information between the private sector and the federal government and that also includes liability protections for companies and individuals that are sharing cyber threat information or appropriately monitoring their networks.
The bill requires the Director of National Intelligence to expand the sharing of classified and unclassified cyber threat information with the private sector while allowing the private sector to voluntarily share information with the federal government and other private entities.
The markup of the Cybersecurity Information Sharing Act of 2014 (CISA) was done in closed session by the committee. The bill was sponsored by Sen. Dianne Feinstein (D-Calif.), the committee chairman, and Sen. Saxby Chambliss (R-Ga.), the vice chairman. Chambliss stated that the Senate should take up and pass the bill before the August recess.
“To strengthen our networks, the government and private sector need to share information about attacks they are facing and how best to defend against them,” Feinstein said in a statement. “This bill provides for that sharing through a purely voluntary process and with significant measures to protect private information.”
The bill contains privacy and civil liberties protections but organizations such as the American Civil Liberties Union and others have said in the recent weeks that the draft version of the bill, which was released in mid-June, actually threatened individual privacy.
“The bill would create a massive loophole in our existing privacy laws by allowing the government to ask companies for ‘voluntary’ cooperation in sharing information, including the content of our communications, for cybersecurity purposes,” Sandra Fulton, an analyst with the ACLU, wrote in a June 27 blog on the group’s website. “But the definition they are using for the so-called ‘cybersecurity information’ is so broad it could sweep up huge amounts of innocent Americans’ personal data.”
In a June 26 letter to the Senate Democrat and Republican leadership, the ACLU and other groups warned that CISA extends the law to the Espionage Act, which would be threatening to government whistleblowers.
However, lawyer and cybersecurity expert Jamie Barnett said the privacy protections in the bill are more specific than past attempts at legislation. The bill requires the removal of personally identifiable information, unless it relates to the threat actor.
“If you’re the bad actor, obviously they can identify you,” Barnett, a partner at Venable LLP, said in an interview.
Barnett recognized the tradeoff between privacy and security would always exist, but he said the bill’s requirement for the Attorney General to craft the legal procedures around information sharing “at least allows for some give and take–an intentional argument about how those procedures go into place.”
Unlike past bills, he said, “there’s more likelihood that this could pass.”
The respective leaders of the House Intelligence Committee, Chairman Mike Rogers (R-Mich.) and ranking member Rep. Dutch Ruppersberger (D-Md.), applauded the Senate panel’s passage of CISA.
“This bill, like the House version, allows American companies to better protect their networks from the daily onslaught of damaging cyber attacks,” Rogers and Ruppersberger said in a joint statement.
The markup of the bill included a number of amendments that were approved, including one by Sen. Susan Collins (R-Maine) amending a provision in the FY ’13 Defense Authorization Bill to allow the Defense Department to share cyber threat information it receives from defense contractors. Another, by Sen. Martin Heinrich (D-N.M.) would require the Attorney General to determine a specific limitation on how long cyber information can be retained.