The U.S. is moving closer to passing a law that would protect companies from lawsuits for disclosing cybersecurity information with the United States government.
The Cybersecurity Information Sharing Act aims to address the growing cyberthreat facing U.S. consumers by facilitating real-time information sharing between the government and private sector.
That’s accomplished, in part, by offering companies protection from liability for disclosing sensitive information to the government with the intent to report a potential cybersecurity threat. Additionally, the government would be authorized under CISA to share classified information regarding cyberthreats with cooperating companies.
The Senate Intelligence Committee passed its version of CISA last week by a vote of 14-1. The language in the Senate bill is similar to that of previous drafts publicly circulated, save a series of privacy-related amendments that were adopted last minute in a closed door meeting. According to representatives who attended Thursday’s meeting, a House version of CISA will be similar, but not identical, to the Senate version.
On Thursday, the House Intelligence Committee discussed in an open hearing its own version of the bill.
“Cyberattacks on U.S. business have posed a threat for some time, but their pace and scope have risen dramatically in the last year,” said House Intelligence Committee Chairman Rep. Devin Nunes (R-Calif.), who referenced cyberattacks against Home Depot and Sony Entertainment Pictures, among others.
Nunes said Congress urgently needs to strengthen security around the nation’s digital infrastructure by “creating more effective ways for businesses and the government to share information on cyberthreats and by providing strong liability protections for those exchanges.”
Former Minnesota Gov. Tim Pawlenty, now president and CEO of Financial Services Roundtable, delivered witness testimony on Thursday before the committee, alongside representatives from IBM, Total Systems Services, and FireEye.
“To encourage better cyber threat information sharing within and between sectors as well as between industry and government, legislation providing sensible ‘Good Samaritan’ protections is needed,” Pawlenty said.
Bolstering cybersecurity, Pawlenty said, will require Congress to enhance liability protections for private businesses, provide exemptions from certain Freedom of Information Act requests, and declassify pertinent cyberthreat information while implementing appropriate privacy protections.
Rep. Adam Schiff (D-Calif.), the ranking Democrat on the House Intelligence Committee, warned of financial and privacy repercussions cyberthreats pose for Americans.
“Our privacy and our life savings are also under assault as repeated cyberintrusions have endangered Americans’ personal information,” Schiff said. “As the recent attacks on the health care provider, Anthem, demonstrate, even our health records are now under attack.”
Schiff added that “no cyberinformation-sharing legislation should include any surveillance authorities. Cyberinformation-sharing legislation is not, and must not become, a form of surveillance legislation.”
CISA has been opposed by numerous civil liberties groups who are concerned about provisions that require information to be widely shared throughout the government.
“It’s a surveillance bill,” said Gabriel Rottman, a policy advisor at the American Civil Liberties Union. Ideal legislation, he said, would ensure “that the information shared contained as little personal identifiable information as possible and limit what the government can do with that information once it has it.”
Rottman’s chief concern, echoed by other privacy advocates, is that CISA requires cyberthreat-related information shared by private companies with the Department of Homeland Security to be shared with multiple other federal agencies, including the National Security Agency and other Department of Defense agencies.
“The bill permits companies to share these cyber threat indicators not just for cybersecurity purposes, but for any purpose permitted under the bill, including broad law enforcement and anti-terrorism purposes,” the Center for Democracy and Technology said in a statement.
CISA is expected to hit the Senate floor next month, and according to Rep. Nunes’s office, the House version of the bill, with its slight differences, will hopefully be available soon.
Photo via Cliff/Flickr (CC BY 2.0)