Senate to Mull Cyberthreat Sharing BillWhite House Mute on Whether It Backs New Measure
The Senate Intelligence Committee next week will consider long-awaited legislation that's designed to encourage businesses to share cyberthreat information with the federal government and each other.
Sens. Dianne Feinstein, D-Calif., and Saxby Chambliss, R-Ga., the intelligence committee's chair and ranking member, released on June 17 a draft version of the Cybersecurity Information Sharing Act, which the sponsors contend incentivizes the sharing of cybersecurity threat information between business and the government and among private sector entities.
A similar bill known as CISPA, the Cyber Intelligence and Protection Act, overwhelmingly passed the House of Representatives last year (see House Handily Passes CISPAWhite House Threatens CISPA Veto, Again).
What's unclear is whether the Feinstein-Chambliss bill adequately addresses concerns raised by the White House in its veto threat. The administration complained that CISPA failed to provide sufficient privacy safeguards and it too broadly extended liability protections to businesses.
The White House declined to comment on the new legislation or whether it was involved in its drafting.
James Lewis, the government IT security expert at the Center for Strategic and International Studies, a think tank, reviewed the legislation and suggests it's not much different from CISPA in substance, adding that the Senate bill contains "some modest tweaks to increase privacy protections."
The sponsor of CISPA, Rep. Mike Rogers, R-Mich., and the House Intelligence Committee's chairman and ranking member, C.A. Ruppersberger, D-Ill., enthusiastically endorsed the Senate measure and urged its quick passage. "The legislation will allow the private sector to protect itself from the severe onslaught of attacks, ultimately protecting the American economy as a whole," Rogers and Ruppersberger said in a statement. "We are confident that a final bill that enhances our security while protecting privacy and civil liberties can be worked out quickly in conference."
According to a statement issued by Feinstein, the bill would:
- Remove legal barriers for companies to share, receive and use voluntarily cyberthreat information and defensive measure;
- Furnish liability protection for the sharing of cyber-information for cybersecurity purposes;
- Authorize and provide liability protection for companies to monitor their networks.
- Direct the federal government to share information with the private sector at the classified and unclassified levels, consistent with protections of sources and methods.
- Provide important protections to ensure that sharing of cyber-information does not allow for privacy intrusions.
Specifically, the bill would require companies sharing cyber-information to strip personally identifying information from cyberthreat information before sharing it. It also would require the attorney general to write procedures to limit the government's use of cyber-information to appropriate purposes and to ensure privacy protections are in place.
The legislation also requires that information shared with the federal government through real-time information sharing mechanisms must be provided to the Department of Homeland Security in order to receive liability protection. That information is to be shared immediately with other relevant federal departments.