Governance & Risk Management , Information Sharing , Training & Security Leadership
Senate Wrestles with Cyber Threat Info Sharing Bill
Meanwhile, Opposition to CISA from Tech Firms, Privacy Advocates EscalatesAs the Senate continues to wrestle with the Cybersecurity Information Sharing Act of 2015, with a vote expected next week, opposition to the bill from some privacy groups and major technology firms, including Apple, is heating up.
See Also: Gartner Market Guide for DFIR Retainer Services
CISA, which aims to enhance cyber threat information sharing between the private sector and the government to help thwart breaches, had come to the Senate floor before the August recess, but then was stalled, in part, because of opponents' concerns that the proposed bill would create sweeping new levels of government surveillance (see CISA: One Step Back, Another Step Forward).
The bill would encourage cyber threat information sharing, in part, by providing organizations that share information with protection against liability. But opponents, including Sen. Ron Wyden, D-Ore, contend the bill as currently drafted would lead to the exposure of private information of American citizens to spy agencies and law enforcement.
Opposition to the bill by tech firms has been growing in recent days, including from some companies, including Apple, that had originally supported earlier versions of the legislation but changed their positions.
"We don't support the current CISA proposal," Apple said in an Oct. 20 statement to the Washington Post. "The trust of our customers means everything to us, and we don't believe security should come at the expense of their privacy."
Senate Actions
Senate majority leader Mitch McConnell, R-Ky., on Oct. 20 filed cloture to end debate on CISA, with a likely procedural vote set for Oct. 22 and a final vote potentially coming early next week. During an Oct. 21 Senate session, McConnell called on his Senate colleagues to pass the bill. "It contains modern tools that cybersecurity experts tell us could help prevent future attacks against both the public and private sectors," he said, according to The Hill.
On Oct. 20, the Senate consolidated 14 amendments into a so-called "manager's package." Eight of those were among nearly two dozen amendments that the Senate agreed to consider before its August recess, Politico reports.
Most of the amendments that are part of the manager's package require some kind of report or assessment, Politico reports. That includes a study of the cybersecurity of the Department of Health and Human Services and the healthcare sector and a review of federal computers that have access to classified information or personally identifiable information.
Among the CISA amendments in the manager's package is a "privacy protection" proposal from Sen. Tom Carper, D-Del., ranking member of the Homeland Security and Governmental Affairs Committee, that ensures DHS "scrub" sensitive personal information before cyber threat data is shared with other agencies.
"We receive almost daily warning about cyber threats," said Sen. Chuck Grassley, R-Iowa, during the Oct. 21 Senate session. "The legislation before us helps create a legal framework to help us respond to threats." Under CISA, companies would voluntary share information with each other and the government, and the government would share threat information with the privacy sector, he noted.
The bill "reduces uncertainty and legal barriers that inhibit cyber sharing today," Grassley said, adding that CISA "contains privacy protection to strike balance to maintaining security and protecting civil liberties."
Opposition Grows
Despite scrambling by some legislators to address criticism of the bill by the addition of privacy protections, opposition to CISA has been escalating in some circles.
Among the loudest privacy advocacy groups opposing the bill is Fight for the Future, which has run multiple campaigns in recent months calling on technology companies to take public positions against CISA.
"The Business Software Alliance, for example, had initially released a letter that appeared to support the bill, but quickly retracted that position after it sparked a public backlash and calls for boycotts," Fight for the Future says in an Oct. 21 statement. The privacy organization says a scorecard it's keeping on 30 major technology companies shows 23 firms currently oppose CISA.
But the bill still has many proponents in the business community, including the Financial Services Roundtable and the U.S. Chamber of Commerce.
"Businesses need legal certainty that they have safe harbor against frivolous lawsuits when voluntarily sharing and receiving threat indicators and countermeasures in real time and taking actions to mitigate cyberattacks," the Chamber of Commerce says. "Legislation needs to safeguard privacy and civil liberties and establish appropriate roles for civilian agencies.
"The Chamber also urges Congress to send a bill to the president that gives businesses legal certainty that they have narrow liability protections when voluntarily sharing and receiving threat data indicators and defensive measures in real time and monitoring their networks to mitigate cyberattacks."
McConnell reportedly said on Oct. 20 that he hopes to get a Senate vote passing CISA by early next week. The Senate bill then would face reconciliation with a version of the CISA bill that the House passed in April (see House Oks 2nd Cyberthreat Info Sharing Bill).
The Senate's consideration of CISA builds on the cybersecurity efforts of the last Congress (see: Obama Signs 5 Cybersecurity Bills) . During the 113th Congress, the Senate Homeland Security and Governmental Affairs Committee authored several cybersecurity bills, which President Obama signed into law in December, Carper noted in a statement. Those other cyber bills include the Federal Information Security Modernization Act; the National Cybersecurity Protection Act of 2014 authorizing the National Cybersecurity and Communications Integration Center at DHS for information sharing; as well as two bills aimed at bolstering the federal cybersecurity workforce.