With the blessing of powerful financial industry proponents — and under criticism from privacy advocates — a cyber security bill that amends previously proposed legislation has passed the Senate Intelligence Committee in a 12 to 3 vote.
The Cybersecurity Information Sharing Act of 2014, sponsored by Sen. Diane Feinstein (D-Calif.) and Sen. Saxby Chambliss (R-Ga.) relies on the federal government and the private sector to voluntarily share information on cyber threats, which its detractors contend will result in information flowing mostly one way — from private industry to government agencies like the National Security Agency (NSA).
Committee Chairwoman Feinstein, in a press release, lauded the Senate's bipartisan effort to pass an “important piece of information” following what she called “a tumultuous year in intelligence."
Among other things, the bill authorizes funding for counterterrorism, collection of intelligence on critical threats and advance IT infrastructure and compels the general counsel of an intelligence agency to alert congressional intelligence committees to significant legal interpretation of the Constitution or federal law regarding intelligence activities.
It also requires the attorney general to set up a process to regularly review official publication of Justice Department Office of Legal Counsel opinions and provides for whistleblower protections for intelligence personnel.
If it becomes law, CISA 2014 will ensure measures to protects the identities of intelligence community employees from disclosure through the Freedom of Information Act.
In a statement issued after the committee gave the bill the nod, two members who cast nay votes, Democratic Senators Ron Wyden of Oregon and Mark Udall of Colorado issued a statement that warned, “We have seen how the federal government has exploited loopholes to collect Americans' private information in the name of security. Without these protections in place, private companies will rightly see participation as bad for business.”
Last week, a group of 22 privacy advocates made much the same argument in a letter to the committee.
Implying that the bill didn't address concerns raised in the aftermath of the spying scandal at the NSA, which they say had “engaged in questionable cybersecurity practices,” the organizations agreed that the legislation didn't include the proper protections on personally identifiable information (PII) or set appropriate boundaries for information-sharing.
Indeed, in an analysis released prior to the Senate committee vote, the Center for Democracy & Technology voiced those criticisms and expressed concern that bill “authorizes broadly-defined cybersecurity countermeasures and provides a good faith defense against claims that a countermeasure unlawfully damaged a network or stored information, encouraging reckless conduct that runs counter to the cybersecurity purpose of the bill.”
But the Senate committee remained resolute and the measure easily passed amid support from the financial industry where companies are desperate for relief and protection from a nearly constant onslaught of cyber threats.
In a Monday letter to the committee, the American Bankers Association (ABA), The Financial Services Roundtable (FSRoundtable) and the Securities Industry and Financial Markets Association (SIFMA) called the draft bill “a good first step forward” since it provides liability and antitrust protections while balancing the need for privacy protection.” The group said the proposed legislation “facilitates cross-sector information sharing and respects and builds upon existing information sharing programs,” but noted “some issues needed further clarification.”
Security industry professionals remain cautiously optimistic that the bill, although flawed, will do what it sets up to accomplish.
Calling it “extremely important that government and industry put more focus on cyber security,” Brandon Hoffman, senior director Global BD and SE, at RedSeal Networks, in a prepared statement sent to SCMagazine.com, said “the critique of this bill is hard to ignore.”
If the bill is to be effective, “it is imperative that information scrubbing or anonymizing the information without losing the pertinent details be determined,” Hoffman said. “This bill is not mandating sharing directly but rather opening up the avenues to implement sharing. Without a framework for data organization and format, along with appropriate protection, it may simply remain an awareness tactic.”
Saying that “we've never had an avenue in the past where government would willingly share classified cyber threat information” that business would find useful, Malwarebytes head Adam Kujawa noted in a prepared statement sent to SCMagazine.com that “depending on the actual product provided to companies because of this bill, it could be very useful.”
A similar bill that passed the House last year drew the threat of a veto from the White House.