Governance & Risk Management , Information Sharing , Standards, Regulations & Compliance
Senate Intel Panel OK's Info-Sharing Bill
Intelligence Committee Approves Bill in Secret SessionThe Senate Intelligence Committee has passed by a 14-1 margin a cyberthreat information sharing bill, but it's unclear whether the measure provides liability protections for businesses and privacy safeguards for citizens that that would receive White House approval.
See Also: Meeting the Mandate: A Proactive Approach to Cybersecurity Compliance and Incident Reporting
That's because the mark up of the Cybersecurity Information Sharing Act was conducted in secret on March 12, and the committee had not publicly made available the text of the bill after the vote.
According to a statement issued by the committee chairman and ranking member - Sens. Richard Burr, R-N.C., and Dianne Feinstein, D-Calif. - the measure requires the removal of personally identifiable information when sharing cyberthreat indicators, although from the outline, it's unclear whether businesses or government would be responsible for the removal of PII. Industry groups have contended that it could prove too costly for some businesses to remove PII.
CISA also would limit the use of cyberthreat indicators to specific purposes, including the prevention of cybersecurity threats and serious crime. Privacy and civil liberties advocates objected to an earlier version of CISA that would have given the National Security Agency and other intelligence agencies access to shared cyberthreat information (see Alternative Cyber Info-Sharing Bill Circulates).
Lone Opposition
The one senator on the panel who voted against the measure, Democrat Ron Wyden of Oregon, said in a statement that CISA failed to provide adequate privacy protections, calling it a "surveillance bill by another name."
"I am concerned that the bill the U.S. Senate Select Committee on Intelligence reported [Thursday] lacks adequate protections for the privacy rights of American consumers, and that it will have a limited impact on U.S. cybersecurity," Wyden said. He did not provide specifics on how the measure would harm privacy rights.
In previous congresses, the White House had threatened to veto measures similar to the earlier version of CISA, contending the legislation didn't provide sufficient privacy safeguards and offered too broad liability protections to businesses. The White House has yet to weigh in on the latest measure (see: White House Threatens CISPA Veto, Again).
But Feinstein suggests the legislation as amended comes closer to what the White House seeks. "I talked to the president's chief of staff [Denis McDonough] yesterday," Feinstein says, according to the online publication The Hill. "I think he believes that a number of improvements have been made in the bill."
Sen. Tom Carper, the Delaware Democrat who sponsored another cyberthreat information sharing bill that reflects the Obama administration's position, says he's encouraged by the intelligence committee's bipartisan approval of the legislation. "I look forward to reading the new text of their bill once it becomes available," says Carper, one of the leading lawmakers on cybersecurity legislation. "In order to get legislation enacted, we need to work together to facilitate a collaborative and transparent process, and make sure our civil liberties are protected as we take steps improve our cybersecurity."
Feinstein, according to The Hill, estimates that 15 Democratic amendments related to privacy were offered during the markup, 12 of which are in the final legislation, either in whole or in part.
Outline of Key Provisions
According to the intelligence committee leaders, CISA:
- Directs increased sharing of classified and unclassified information about cyberthreats with the private sector, including declassification of intelligence as appropriate.
- Authorizes private entities to monitor their networks or those of their consenting customers for cybersecurity purposes. Companies are authorized to share cyberthreat indicators or defensive measures with each other or the government.
- Requires the establishment of a capability sometimes referred to as a portal at the Department of Homeland Security as the primary government capability to quickly accept cyberthreat indicators and defensive measures through electronic means.
- Requires reports on implementation and privacy impacts by agency heads, Inspectors General, and the Privacy Civil Liberties Oversight Board to ensure that cyberthreat information is properly received, handled, and shared by the government.
- Provides liability protection for companies' appropriate use of additional cybersecurity authorities. The monitoring of networks for cybersecurity threats is protected from liability, along with sharing information about cyberthreats between companies consistent with the bill's requirements.
The president's plan - as reflected in Carper's bill, the Cyber Threat Sharing Act of 2015 - more narrowly defines liability protections, limiting those safeguards to threat information shared with DHS's National Cybersecurity and Communications Integration Center and information sharing analysis organizations, or ISAOs, that would be established by industry with government approval. The Carper legislation also would require businesses to make reasonable efforts to strip personally identifiable information from cyberthreat data to be shared, a process that industry says could prove costly and deter small and midsize businesses from voluntarily sharing and receiving cyberthreat information (see Could Costs Impede Info-Sharing Plan?).
Strictly Voluntary
CISA, if enacted as passed by the intelligence committee, would not require any private-sector organization to share cyberthreat information; it would be strictly voluntary.
The bill also would narrowly define the term "cyberthreat indicator" to limit the amount of information that could be shared.
CISA could come up for a vote by the full Senate in the coming weeks.