The Senate Intelligence Committee passed the controversial Cybersecurity Information Sharing Act, or CISA, by a vote of 14 to 1 on Thursday afternoon.
Co-sponsored by Intelligence Committee Chairman Richard Burr (R-N.C.) and Vice Chairman Dianne Feinstein (D-Calif.), the legislation is designed to make it easier for businesses and governments to share threat and attack information to defend against cyber-attacks, but privacy groups oppose the bill over its potential to give the government access to a huge trove of personal data about Americans.
“The bill approved today by the Intelligence Committee on a strong bipartisan vote is a critical step to confront one of the most dire national and economic threats we face: cyber attacks,” Feinstein said in a statement. “In just the last year, hundreds of millions of Americans have had their data compromised, a number of major American companies have been attacked, intellectual property has been stolen, and there have even been attempts to hack our critical infrastructure.”
“This bill would help defend against cyber attacks by allowing purely voluntary information sharing—limited to specific information about cyber threats—to better help the private sector and government understand and respond to these threats,” Feinstein continued. “The robust privacy requirements and liability protection make this a balanced bill, and I hope the Senate acts on it quickly.”
As the only member of the committee to vote against the bill, Senator Ron Wyden (D-Ore.) said the bill lacks privacy protections, and doesn’t secure networks.
“It makes sense to encourage private firms to share information about cybersecurity threats,” Wyden said in a statement. “But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens.”
According to Feinstein, The Cybersecurity Information Sharing Act of 2015:
• Directs increased sharing of classified and unclassified information about cyber threats with the private sector, including declassification of intelligence as appropriate.
• Authorizes private entities to monitor their networks or those of their consenting customers for cybersecurity purposes. Companies are authorized to share cyber threat indicators or defensive measures with each other or the government.
• Requires the establishment of a capability (sometimes referred to as a “portal”) at the Department of Homeland Security (DHS) as the primary government capability to quickly accept cyber threat indicators and defensive measures through electronic means.
• Provides liability protection for companies’ appropriate use of additional cybersecurity authorities. The monitoring of networks for cybersecurity threats is protected from liability, along with sharing information about cyber threats between companies consistent with the bill’s requirements.
• Requires reports on implementation and privacy impacts by agency heads, Inspectors General, and the Privacy Civil Liberties Oversight Board to ensure that cyber threat information is properly received, handled, and shared by the government.
Privacy protections include:
• Does not require any private sector entity to share cyber threat information. Sharing is strictly voluntary.
• Narrowly defines the term “cyber threat indicator” to limit the amount of information that may be shared under the Act.
• Limits the use of cyber threat indicators to specific purposes, including the prevention of cybersecurity threats and serious crimes.
• Requires the removal of personal information prior to the sharing of cyber threat indicators.
“This bipartisan legislation is critical to securing our nation against escalating cyber threats,” said Burr. “I’m pleased CISA will advance to the Senate floor where it will enjoy support from both sides of the aisle. The bill we passed today is overdue and will enable our agencies and institutions to share information about cyber threats while also providing strong privacy protection for our citizens. With risks are growing every day, we are finally better prepared to combat cyber attackers with this bill.”
Wyden disagrees, making his case that the bill lacks appropriate measures to protect citizens’ privacy.
“If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill – it’s a surveillance bill by another name,” Wyden added. “I am concerned that the bill the U.S. Senate Select Committee on Intelligence reported today lacks adequate protections for the privacy rights of American consumers, and that it will have a limited impact on U.S. cybersecurity.”
“The most effective way to protect cybersecurity is by ensuring network owners take responsibility for security,” Wyden continued. “Strong cybersecurity legislation should make clear that government agencies cannot order U.S. hardware and software companies to build weaker products, as senior FBI officials have proposed.”
Related: Understanding The Challenges In Information Sharing
Related: Cyber Attack Exercise Reveals Information Sharing Struggles