Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

Senate Committee Advances Controversial Cybersecurity Bill

The Senate Intelligence Committee passed the controversial Cybersecurity Information Sharing Act, or CISA, by a vote of 14 to 1 on Thursday afternoon.

The Senate Intelligence Committee passed the controversial Cybersecurity Information Sharing Act, or CISA, by a vote of 14 to 1 on Thursday afternoon.

Co-sponsored by Intelligence Committee Chairman Richard Burr (R-N.C.) and Vice Chairman Dianne Feinstein (D-Calif.), the legislation is designed to make it easier for businesses and governments to share threat and attack information to defend against cyber-attacks, but privacy groups oppose the bill over its potential to give the government access to a huge trove of personal data about Americans. 

“The bill approved today by the Intelligence Committee on a strong bipartisan vote is a critical step to confront one of the most dire national and economic threats we face: cyber attacks,” Feinstein said in a statement. “In just the last year, hundreds of millions of Americans have had their data compromised, a number of major American companies have been attacked, intellectual property has been stolen, and there have even been attempts to hack our critical infrastructure.”

Senate

“This bill would help defend against cyber attacks by allowing purely voluntary information sharing—limited to specific information about cyber threats—to better help the private sector and government understand and respond to these threats,” Feinstein continued. “The robust privacy requirements and liability protection make this a balanced bill, and I hope the Senate acts on it quickly.”

As the only member of the committee to vote against the bill, Senator Ron Wyden (D-Ore.) said the bill lacks privacy protections, and doesn’t secure networks.

“It makes sense to encourage private firms to share information about cybersecurity threats,” Wyden said in a statement. “But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.”

According to Feinstein, The Cybersecurity Information Sharing Act of 2015:

• Directs increased sharing of classified and unclassified information about cyber threats with the private sector, including declassification of intelligence as appropriate.

• Authorizes private entities to monitor their networks or those of their consenting customers for cybersecurity purposes. Companies are authorized to share cyber threat indicators or defensive measures with each other or the government.

• Requires the establishment of a capability (sometimes referred to as a “portal”) at the Department of Homeland Security (DHS) as the primary government capability to quickly accept cyber threat indicators and defensive measures through electronic means.

• Provides liability protection for companies’ appropriate use of additional cybersecurity authorities. The monitoring of networks for cybersecurity threats is protected from liability, along with sharing information about cyber threats between companies consistent with the bill’s requirements.

• Requires reports on implementation and privacy impacts by agency heads, Inspectors General, and the Privacy Civil Liberties Oversight Board to ensure that cyber threat information is properly received, handled, and shared by the government.

Privacy protections include:

• Does not require any private sector entity to share cyber threat information. Sharing is strictly voluntary.

• Narrowly defines the term “cyber threat indicator” to limit the amount of information that may be shared under the Act.

• Limits the use of cyber threat indicators to specific purposes, including the prevention of cybersecurity threats and serious crimes.

• Requires the removal of personal information prior to the sharing of cyber threat indicators.

“This bipartisan legislation is critical to securing our nation against escalating cyber threats,” said Burr. “I’m pleased CISA will advance to the Senate floor where it will enjoy support from both sides of the aisle. The bill we passed today is overdue and will enable our agencies and institutions to share information about cyber threats while also providing strong privacy protection for our citizens. With risks are growing every day, we are finally better prepared to combat cyber attackers with this bill.”

Wyden disagrees, making his case that the bill lacks appropriate measures to protect citizens’ privacy.

“If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill – it’s a surveillance bill by another name,” Wyden added. “I am concerned that the bill the U.S. Senate Select Committee on Intelligence reported today lacks adequate protections for the privacy rights of American consumers, and that it will have a limited impact on U.S. cybersecurity.”

“The most effective way to protect cybersecurity is by ensuring network owners take responsibility for security,” Wyden continued. “Strong cybersecurity legislation should make clear that government agencies cannot order U.S. hardware and software companies to build weaker products, as senior FBI officials have proposed.”

RelatedUnderstanding The Challenges In Information Sharing

RelatedCyber Attack Exercise Reveals Information Sharing Struggles

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Cybercrime

The owner of China-based cryptocurrency exchange Bitzlato was arrested in Miami along with five associates in Europe

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Cyberwarfare

Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since when they still...