Governance & Risk Management , Information Sharing , Standards, Regulations & Compliance
CISA: One Step Back, Another Step ForwardSenate Delays Action on Cyberthreat Info Sharing Bill
The Senate took one step backward and another step forward in the political jockeying needed to bring cyberthreat sharing legislation up for a vote.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Privacy advocates in the Senate - led by Oregon Democrat Ron Wyden - will get their chance to introduce amendments to the Cybersecurity Information Sharing Act, legislation that would encourage businesses to share cyberthreat information with each other and the government by giving them liability protection. But they'll have to wait until after Congress' August vacation.
Wyden and other opponents contend the bill as currently drafted would expose private information of American citizens to spy agencies and law enforcement. But after backroom haggling on Aug. 5, Republican and Democratic leaders agreed to postpone debate until September, at the earliest, when 11 Democratic and 10 Republican amendments to CISA would be taken up.
Seeking Sensible Policy
"We'll have a chance in the fall to look at ways to address cybersecurity in a fashion that does respond to what our people want, and that is to show that security - in this case cybersecurity - and liberty are not mutually exclusive," Wyden said on the Senate floor. "It's a sensible policy, worked out in a bipartisan way, will respond to the needs of this country in what is, unquestionably, a dangerous time."
Supporters of the bill, from both parties, contend that an amended version of the bill unveiled earlier this week would have excised provisions in which cyberthreat information could be shared with the National Security Agency and other intelligence and law enforcement agencies for purposes other than to prevent a cyberattack. The amended version also would have required companies to scrub personal information about individuals before sharing threat information such as attack signatures.
Taking Basic Precautions a Bigger Problem
Still, those changes didn't placate privacy advocates who seek stronger privacy protections. Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a civil liberties and privacy advocacy group, questions the effectiveness of the legislation, contending such a law would not have prevented major government breaches such as the hack of the Office of Personnel Management that exposed the private information of some 22 million individuals. The problem, he says, isn't as much with cyberthreat information sharing than with agencies failing to encrypted files, fix poor computer architecture and patch servers. "Frankly," Tien says in a blog, "not taking basic precautions seems like a much bigger problem than not knowing enough about threats."
Security and privacy attorney Edward McNicholas says enacting CISA would help by providing liability protection to businesses that so far have been reluctant to share cyberthreat information. "It would be good to have the bill, but businesses are not waiting for the government to do cybersecurity; the government is not waiting Congress to do cybersecurity," says McNicholas, who served as an associate counsel in the Clinton White House. "A lot of cyberthreat information is being shared already in ISACs (Information Sharing and Analysis Centers) and ISOs (Information Sharing Organizations) today. The threat is real, and companies are not going to wait for Congress to protect themselves."
The deal to bring up the bill when Congress returns after Labor Day is seen as an encouraging sign by the Retail Industry Leadership Association, a trade group that backs CISA, saying in a statement to ISMG that it would like to have seen a vote prior to the recess. "But the unanimous consent agreement between (Majority Leader Mitch) McConnell and (Minority Leader Harry) Reid outlining the amendments which will be offered is a positive sign that this won't get bogged down when members come back from recess," the statement says.
Competition for Limited Time for Debates
A CISA vote shortly after Labor Day isn't a sure thing. The Senate's priority upon returning next month will be to debate and vote on the Iranian nuclear deal. Also, with the next fiscal year beginning Oct. 1, Congress must vote on a series of appropriations bills to fund the federal government.
CISA got a boost earlier this week when the White House provided a lukewarm endorsement of the measure. "Cybersecurity is an important national security issue and the Senate should take up this bill as soon as possible and pass it," Deputy Press Secretary Eric Schultz said in a statement. "While there are still areas of concern that we hope to address, the bill's sponsors have made a good faith effort to address some of our biggest concerns."
Even if the Senate passes CISA, the bill would go to the House, which passed two cyberthreat sharing bills in April. In this scenario, either a conference committee between House and Senate members would draft a compromise bill that must pass both chambers, or the House would have to accept the Senate version of the legislation.