Alternative Cyber Info-Sharing Bill CirculatesMeasure Includes Liability, Privacy Provisions Businesses Seek
The Senate Select Committee on Intelligence could consider in the coming days new cyberthreat information sharing legislation that's seen as more to the liking of the business community than the measure proposed by President Obama.
A discussion draft of the Cybersecurity Information Sharing Act of 2015, or CISA, being circulated by the leaders of the Senate Select Committee on Intelligence - Chairman Richard Burr, R-N.C., and Vice Chairwoman Dianne Feinstein, D-Calif. - provides broader liability protections to businesses that voluntarily share cyberthreat information with the government and less stringent privacy protections than legislation offered by Obama and introduced last month by Sen. Tom Carper, D-Del. (See Congress to Consider Info-Sharing Bills.)
CISA, which is opposed by civil liberties and privacy advocacy groups, is patterned after a similar bill Feinstein sponsored in the last Congress, which passed the intelligence panel after being amended in a closed-door session, but never came up for a vote in the Senate (see Senate Panel OK's Cyberthreat Info Sharing Bill ).
Seeking 'Practical Compromise'
In January, a message sent to senators from nearly three dozen industry groups characterized the version of CISA that passed last July as legislation that would give "businesses legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and countermeasures in real time and taking actions to mitigate cyberattacks" that also would "safeguard privacy and civil liberties and establish appropriate roles for civilian and intelligence agencies. The cybersecurity measure approved last year by the Select Committee on Intelligence reflected practical compromises among many stakeholders on these issues."
The president's plan - reflected in Carper's bill, the Cyber Threat Sharing Act of 2015 - more narrowly defines liability protections, limiting those safeguards to threat information shared with the Department of Homeland Security's National Cybersecurity and Communications Integration Center and information sharing analysis organizations, or ISAOs, that would be established by industry with government approval. The Carper legislation also would require businesses to make reasonable efforts to strip personally identifiable information from cyberthreat data to be shared, a process that industry says could prove costly and deter small and midsize businesses from voluntarily sharing and receiving cyberthreat information (see Could Costs Impede Info-Sharing Plan?).
U.S. Chamber of Commerce's Matthew Eggers explains why businesses seek broader liability protections.
When compared with the president's proposal, CISA offers a more dynamic approach to sharing cybersecurity threat data among multiple business and government partners, coupled with stronger protections, says Matthew Eggers, U.S. Chamber of Commerce senior director for national security and emergency preparedness. "CISA would go the furthest in helping businesses, including critical infrastructure, defend information systems against cyberattacks," Eggers says. "Businesses would likely share and receive CTIs (cyberthreat indicators) and countermeasures and monitor their networks on a broader scale and more confidently because CISA grants stronger liability protections and better policy tools."
But a group of civil liberties and privacy advocacy organizations, along with 22 computer security experts, on March 2 sent a letter to Burr and Feinstein calling for the rejection of CISA. The letter contends CISA would permit automatic National Security Agency access to personal information shared with a governmental agency, furnish inadequate protections prior to sharing data, allow dangerous authorization for countermeasures and provide overbroad authorization for law enforcement use.
"CISA will do much more to enhance the government's cyber-surveillance than it will do to enhance everyone's cybersecurity, and should be strongly opposed," Robyn Greene, policy counsel for the Open Technology Institute, the technology program of the think tank New America Foundation, writes in a recently published blog.
The White House has not weighed in on CISA, but in the past two congresses, the Obama administration had threatened to veto the Cyber Intelligence Sharing and Protection Act, known as CISPA, which twice passed the House of Representatives and featured liability and privacy protection provisions similar to those found in CISA (see White House Threatens CISPA Veto, Again).