The Senate is one step closer to a floor vote on cybersecurity legislation that would address information sharing between the private sector and the government. On July 8, the Senate Select Committee on Intelligence approved a contentious cybersecurity bill known as the Cyber Information Sharing Act (CISA).
The proposed legislation would remove legal barriers to allow private companies to share information regarding cyber-attacks “in real time” with other private companies and the government. Companies sharing information for cybersecurity purposes would be shielded from lawsuits by individuals against the company for sharing that data, regardless of terms of service contracts that may prevent such actions without a customer’s consent. In order to receive the liability protection, private entities would be required to submit information directly to the Department of Homeland Security, which could then share the information with other federal agencies as necessary to address the threat. Additionally, CISA would direct the federal government to share classified and unclassified information with the private sector.
CISA also includes several provisions to protect privacy, such as requiring that companies sharing information remove all personally identifiable data (e.g. names, addresses, and Social Security numbers). The Attorney General would be directed to write procedures to limit government use of cyber information received to “appropriate cyber purposes” and ensure that privacy protections are in place. A full synopsis from the Senate Committee Chair and co-sponsor of CISA, Dianne Feinstein (D-CA), is available here. Adequate privacy protections have been a continuing sticking point for successful cybersecurity information sharing legislation. The Cyber Intelligence Sharing and Protection Act (CISPA) – the information sharing bill counterpart in the House of Representatives – faced strong privacy objections from civil liberties and public interest groups. When CISPA passed the House in 2013, the White House threated to veto the bill unless it included additional privacy protections.
Even with CISA’s added protections, many privacy groups oppose the bill. Similar to CISPA, these groups remain anxious that the legislation could encourage a company, such as Google, to turn over huge amounts of emails or other private data to the government in the name of cybersecurity. The groups fear that the National Security Agency and other government agencies could gain access to even more personal information through this legislation. Moreover, because CISA provides liability protections to companies sharing information, individuals would have little recourse in the event of abuse.
Whether CISA becomes law in 2014 will depend not only on how quickly it can pass a floor vote but also how easily the Senate bill can be reconciled with CISPA, the House counterpart passed last year. Though CISA passed the Senate committee with bi-partisan support, Senate Democrats are already wavering on support due to concerns of insufficient privacy protections. If CISA manages to pass the Senate, there is a chance the House and Senate can agree to a reconciled bill. Representative Mike Rogers (R., Mich.), chairman of the House Intelligence Committee and co-sponsor of CISPA, stated publicly that the committees were close to agreement on harmonizing their respective cyber threat information-sharing bills, and had narrowed down their difference to a few, discrete issues. However, with less than 15 legislative days before the August recess and all eyes focused on the upcoming mid-term elections in November, if this cybersecurity legislation has any hope of moving forward Congress will need to do something it rarely does: act quickly.