After months of soliciting stakeholder input from government agencies and the private sector, the Senate Intelligence Committee in July advanced a bipartisan bill to provide liability protection for cyberthreat data sharing. The Cybersecurity Information Sharing Act (S. 2588) allows for the prompt dismissal of lawsuits against companies that have shared cyberthreat indicators or countermeasures, and it shields businesses from federal antitrust enforcement actions when they have shared cyberthreat information with competitors.
“Cyberattacks present the greatest threat to our national and economic security today, and the magnitude of the threat is growing,” said Sen. Diane Feinstein (D-CA), chairman of the Intelligence Committee and sponsor of the bill. “Every week we hear about the theft of personal information from retailers and trade secrets from innovative businesses, as well as ongoing efforts by foreign nations to hack government networks. This bill is an important step toward curbing these dangerous cyberattacks.”
To address the concerns of privacy advocates, the legislation establishes federal government procedures for the receipt, sharing, and use of cyber information. This includes the establishment of a portal managed by the Department of Homeland Security through which electronic cyber information will enter the government and be shared with other appropriate federal entities. The measure also limits the government’s ability to use information it receives to cyber-related purposes to ensure it does not engage in inappropriate investigations or regulation.
The legislation is similar to a version that passed the House of Representatives in April 2013 (H.R. 624), which the president threatened to veto. Privacy groups charge that the privacy protections in the Senate measure also could still potentially allow the U.S. government to increase its surveillance of the Internet. They cite a requirement that any cyberthreat indicators shared with any federal government agency also be shared with the National Security Administration and other elements of the Department of Defense.
However, the Senate bill is seen as more palatable to the White House, although recent reports indicate that the legislation will need to incorporate additional privacy and civil liberties protections before the president would agree to sign it into law.
Business groups are hopeful that a deal can be struck and a compromise bill can be passed by both the Senate and House during a lame duck session of Congress following the November elections.
“What is important is that CISA [the Cybersecurity Information Sharing Act] is headed in the right direction,” said Bruce Josten of the U.S. Chamber of Commerce, in a July 21 letter to the Senate.