Legislators had been working for months to finalize language contained in the compromise text merged from three separate bills. If President Obama signs the spending deal as is expected, companies will face corporate incentives for sharing cyber threat data with a host of federal, state, and local agencies.
The omnibus passed the House Friday morning with a vote of 316-113, and was approved by the Senate with a 65-33 vote in the afternoon.
“Chief information officers are not excited about this,” Matthew Green, a cryptographer and professor at Johns Hopkins University told SCMagazine.com. “They are saying, we don't want anything to do with this.”
While the compromise text includes provides liability relief for companies sharing data with government agencies, many multinational corporations are concerned about reputational risk, especially as they try to navigate international issues such as Safe Harbour, which was rule invalid by the European Commission in October.
“How that is all going to be resolved?” asked Green. “I have no idea, but it is the last thing that tech firms want to deal with right now.”
Earlier this month, Richard Salgado, Google's director for law enforcement and information security, challenged the Securities and Exchange Commission's (SEC) exemption request from a bill amending the Electronic Communications Privacy Act of 1986. In his testimony, Salgado said the request “raises the specter of providers, large and small, conscripted into serving as civil discovery vendors, unnecessarily placed in the middle of messy and protracted litigation of others.”
This concern is not unfounded. On Thursday, Google saw a 20 percent increase in the number of user information requests placed by U.S. authorities for criminal investigations – and a 49 percent increase in the number of individual accounts specified in those requests.
Paul Kurtz, CEO/co-founder of TruSTAR Technology and former White House Cybersecurity Advisor, told SCMagazine.com that cyber incident sharing will help protect the U.S. economy and national security. In an email obtained by SCMagazine.com, Kurtz wrote, “Providing liability relief for companies sharing cyber incident data amongst themselves and with the government provides a foundation on which to build a more collaborative cyber security defense.”