Cybersecurity Info Sharing Bill Draws CriticismPrivacy Groups Call on Obama to Issue Veto Threat
Privacy advocates are escalating their objections to the Cybersecurity Information Sharing Act that overwhelmingly passed the Senate Intelligence Committee last week.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Experts who have reviewed the legislation, as amended by the committee, say CISA, as the bill's known, is not substantially different than the Cyber Intelligence Sharing and Protection Act, or CISPA, which passed the House of Representatives last year but garnered a presidential veto threat (see: Obstacles Facing Info Sharing Bill). The White House said CISPA didn't go far enough to protect civil liberties and offered liability protections it deemed too broad to businesses that share cyberthreat information (see White House Threatens CISPA Veto Again). The administration usually doesn't comment on legislation until a vote is imminent, and a White House spokeswoman declined to comment on CISA.
CISA has been placed on the Senate legislative calendar, but that doesn't guarantee that it will be scheduled for floor debate and vote. The office of Senate Majority Leader Harry Reid, D-Nev., who would schedule a vote, did not reply to a query about the bill's status.
Objections to the Senate Bill
A group of privacy and civil liberties advocacy groups wrote a letter to President Obama asking him to issue a new veto threat, saying the language in CISA, like CISPA, bypasses the administration's previously stated preference of having a civilian agency lead federal cybersecurity efforts. Instead, the letter says, both bills favor the automatic and simultaneous transfer of cybersecurity information to American intelligence agencies, including the National Security Agency.
The letter also says CISA would allow the government to use shared cyberthreat information to not just protect vital IT but to aid in criminal investigations and prosecutions, which the advocates say should be beyond the scope of the measure. "Because CISA does not remedy any of the failures the administration previously identified in CISPA and because it fails to adequately protect all users," the letter says, "we request that you promptly pledge to veto this dangerous legislation."
One difference between CISA and CISPA is that the Senate bill specifically addresses antitrust concerns raised by some business leaders who didn't want to be accused of colluding with competitors if they shared cyberthreat information. Several lawyers said that concern was unfounded because sharing data about malware isn't the same as sharing information about pricing competitive products, which is illegal.
Joseph Bauer, a Notre Dame Law School antitrust professor, says existing antitrust laws would not have prevented competing businesses from sharing cyberthreat information, but he says adding antitrust language to CISA could deter some lawsuits.
"I don't think it changes the existing law," Bauer says of CISA's antitrust provisions, noting that only about 5 percent of antitrust cases are brought by the government. "What it may do is make that law clearer, and therefore either dissuade even a possibility of a lawsuit or, if that lawsuit was brought, lead to its quick and inexpensive termination."