The Intelligence Committees in both the House and Senate approved measures in March to shield U.S. companies from the liability risks of sharing cyber threat information.
On March 12, the Senate Intelligence Committee approved the Cybersecurity Information Sharing Act (S. 754) by a 14-1 vote. Two weeks later, the House Intelligence Committee approved the Protecting Cyber Networks Act (H.R. 1560) by voice vote. Both measures would provide liability protection to companies that voluntarily share “cyber threat indicators” or “defensive measures” with other private entities or the federal government. They also allow for plaintiff claims if they can show that a company engaged in “willful misconduct.”
In January, President Obama urged Congress to pass a cybersecurity measure to provide liability protection to companies that share threat information with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC). However, industry stakeholders raised concerns that the president’s proposals did not go as far as the House and Senate Intelligence Committee bills in protecting U.S. companies that face liability risks.
The recent action in both chambers of Congress was welcomed by the business community.
“A critical and urgent need exists for Congress to remove legal impediments that prevent the public and private sectors from working even more effectively as a team to protect American consumers and our nation's critical infrastructure from cyber-attacks,” said Tim Pawlenty, president and chief executive officer of the Financial Services Roundtable, in a statement following the House Intelligence Committee vote.
Privacy groups, however, have raised concerns that the cyber threat information-sharing measures would weaken privacy protections for Americans. The House Intelligence Committee “failed to make significant changes that were necessary to better protect Americans’ privacy, and to ensure that the broad info-sharing authorized under the bill would not become a backdoor for government surveillance,” said Robyn Greene, policy counsel for the Open Technology Institute at the New America Foundation, in an online statement.
On March 2, a coalition of 48 privacy advocates signed a letter to the Senate Intelligence Committee expressing strong opposition to S. 754 arguing, among other things, that it allows automatic National Security Agency access to personal information shared with a governmental entity.
But members of the committee, including Sen. Diane Feinstein (D-CA), the ranking Democrat, disagreed with the contention that the bill does not contain strong privacy provisions.
“There has been misinformation about this bill, so let me be clear: The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats -- NOT personal information -- in order to better defend against attacks,” Feinstein said in a March 18 statement. “This bill includes more than a dozen significant changes from last year's version. The privacy provisions are substantial and I believe address many of the concerns that had been raised in regard to earlier drafts of the bill.”
Despite the objections of privacy advocates, the cyber threat data sharing bills are expected to be considered by the full House and Senate before Memorial Day.
Unrelated to congressional cyber threat action, President Obama on April 1 signed an executive order to allow the Treasury Department to freeze the assets of people, companies, and other entities overseas that are identified as the source of destructive cyber attacks that target critical infrastructure and major computers networks or seek to steal significant trade secrets or intellectual property for competitive advantage or private financial gain.