Governance & Risk Management , Information Sharing , Training & Security Leadership
Senate Passes Cybersecurity Info Sharing Bill
Several Privacy-Related Amendments RejectedThe Senate on Oct. 27 passed by an overwhelming margin the controversial Cybersecurity Information Sharing Act of 2015, which provides businesses with liability protections if they voluntarily share cyber threat information with each other and the federal government. The vote was 74-21.
See Also: Research Survey Results Report: Evaluating Managed Security Provider Offerings in 2023
Now the measure must be reconciled with two related bills passed earlier by the House, ironing out discrepancies and combining them into one measure to present to President Obama (see House Oks 2nd Cyberthreat Info Sharing Bill).
Supporters of CISA, including the Financial Services Roundtable and the U.S. Chamber of Commerce, among other business groups, argued it will help pave the way for an increase in the sharing of cyber threat information that could be used to help prevent breaches. But opponents, including some privacy advocates and major technology firms, argued that the legislation would lead to the exposure of private information of American citizens to spy agencies and law enforcement (see Senate Wrestles with Cyber Threat Info Sharing Bill).
Long Quest
"This has been a six-year effort, and it hasn't been easy," said Sen Dianne Feinstein, D-Calif., who led the effort to pass CISA, along with Sen. Richard Burr, R-N.C. "We've been trying to strike a balance," between the privacy of citizen's information and better cybersecurity, Feinstein told her Senate colleagues before the day's lineup of votes. The bill's backers have worked to make the legislation "understandable to business," she argued.
"We see the same cyber intrusions used again and again to penetrate targets," she said. If someone sees malware or other signs of attack, companies should be able to share information without fear of liability or violations of antitrust laws, she contended.
The bill approved by the Senate incorporated a package of amendments bundled together last week. That package includes, for example, an amendment calling for a study of the cybersecurity of the Department of Health and Human Services and the healthcare sector and a review of federal computers that have access to classified information or personally identifiable information. It also includes some privacy-related provisions, including certain limits on what data the government can collect and how it can be used. "We did everything in this bill that we possibly could to satisfy privacy concerns," Feinstein declared.
Also approved was a separate amendment sponsored by Sen. Jeff Flake, R-Az., that sunsets CISA after 10 years. Flake had originally proposed sunsetting the bill after six years.
Rejected Amendments
Before the bill was passed, the Senate rejected a series of other amendments designed to add a variety of additional privacy-related provisions to the legislation.
Among the amendments rejected were proposals from Sen. Ron Wyden, D-Ore, Sen. Dean Heller, R-Nev., and Sen. Chris Coons, D-Del., that generally would have imposed stricter requirements for the removal of personal information under certain conditions before cyber threat updates were shared. Also rejected was a proposal from Sen. Al Franken, D-Minn., to further restrict the type of information that the government would receive by redefining "cybersecurity threat" in the bill.
In addition, an amendment from Sen. Patrick Leahy, D-Vermont, to strike a Freedom of Information Act exemption from the bill also failed to pass. In a statement issued by Leahy's office on Oct. 26, the senator said CISA contains "an unnecessary provision that would weaken the Freedom of Information Act, the government's premier transparency law." But Feinstein argued that eliminating the FOIA exemption in CISA would only embolden cyber attackers. "Information should not be widely available to hackers," she said.
Another proposal that was rejected, from Sen. Tom Cotton, R-Ark., proposed that businesses that share cyber threat information directly with the FBI and Secret Service would get the same liability protections as those that share information via a Department of Homeland Security portal, as called for under the bill.
Feinstein argued Cotton's proposal had the potential of eating away at personal privacy protections. There is a need "to limit information to be shared to DHS," she said. "Information goes to the portal, gets scrubbed, and then goes to respective agencies. Privacy is protected."
The CISA bill is about sharing information about cyber threats, not cybercrimes, Feinstein emphasized. "When there is a cybercrime, we're taking about very different information. The FBI takes a much deeper look into [crime-related] information."
CISA doesn't mandate businesses share cyber threat information, Sen. Tom Carper, D-Del., stressed.
"Companies don't have to share information with federal government, but they can," he said.
Carper also discouraged his Senate colleagues from approving the Cotton amendment because of the potential that cyber threat information would be "stove piped" to agencies, such as the FBI, when DHS is the most appropriate government unit to handle cyber threat information and address it in real time. The Cotton proposal "is dangerous," he argued.
Strong Reactions
The American Bankers Association lauded the Senate for passing the measure. "CISA facilitates increased cyber intelligence information sharing between the private and public sectors, and strikes a balance between protecting consumer privacy and allowing information sharing on serious threats to our nation's critical infrastructure," the ABA said in a statement.
Nevertheless, the ABA expressed some concerns about the measure. "While CISA will help our industry work more effectively with the federal government and other sectors to better protect our customers from cyber threats, we're concerned that some provisions adopted by the Senate may have the unintended consequence of making information sharing less effective. In particular, a provision that would change the inherent voluntary nature and structure of CISA by allowing DHS to create cybersecurity standards for critical infrastructure that would have the practical impact of regulation is unnecessary and harmful."
Fight for the Future, an advocacy group that strongly opposed CISA because it claims the measure would lead to the exposure of American's private information to spy agencies and law enforcement, said in a statement that the bill "codifies the U.S. government's unconstitutional spying programs while completely failing to prevent cyberattacks."
The group also said: "By supporting a bill that has been resoundingly rejected by security experts, tech companies and advocacy groups from across the political spectrum, these politicians have highlighted the brokenness of our political system and exposed the reality that U.S. Congress is one of the Internet's greatest foes."
(News Editor Howard Anderson contributed to this story)