Congress Set to Enact Cyberthreat Information-Sharing LawCybersecurity Measure Attached to Massive Spending Bill
After years of failing to enact cyberthreat information-sharing legislation, Congress is poised to vote on a measure this week that would incentivize businesses to voluntarily share threat data with the federal government and with one another. The legislation, added to a 2,009-page omnibus $1.1 trillion spending bill, also would establish a process for the government to share threat information with businesses.
Although business groups generally favor the legislation, many privacy and civil liberties advocates have voiced strong opposition to it.
The House scheduled a vote on the legislation for Friday, with Senate action expected shortly thereafter if the lower chamber passes the measure. President Obama is expected to sign the legislation should it clear both houses.
Known as the Cybersecurity Information Sharing Act of 2015, the measure is a conglomeration of three bills, two passed by the House and one by the Senate earlier this year (see Senate Passes Cybersecurity Info-Sharing Bill). The chairs of both houses' intelligence committees and House Homeland Security Committee, as well as congressional leaders, worked out the final details of the legislation behind closed doors.
"This type of information sharing - with strict safeguards for private information - is key to countering cyberattacks," says Sen. Dianne Feinstein, D-Calif., vice chairman of the Senate Intelligence Committee, and cosponsor of the Senate version of the cyberthreat information-sharing legislation.
But one of the bill's fiercest opponents on Capitol Hill, Sen. Ron Wyden, D-Ore., contends the compromise legislation would do little to prevent major cyberattacks and questions whether it offers meaningful privacy protections to citizens. "This cybersecurity bill was a bad bill when it passed the Senate, and it is an even worse bill today," Wyden says. "Americans deserve policies that protect both their security and their liberty. This bill fails on both counts."
At the heart of the bill are provisions aimed at getting businesses to share cyberthreat information with the government. The main incentive would be furnishing businesses with so-called liability protections from lawsuits when they share cyberthreat information, such as malicious code, suspected reconnaissance, security vulnerabilities and anomalous activities, and identify signatures and techniques that could pose harm to an IT system.
Larry Clinton, president of the trade group Internet Security Alliance, characterizes the liability protections in the latest bill as a fair balance between the concerns of the privacy and security communities, although he contends a 2013 version of information-sharing legislation that passed the House, but never came up for a vote in the Senate, offered stronger liability protections. "I am concerned that the liability provisions, which were weakened to more political than real privacy concerns, may be too weak to provide enough incentives for entities to share information, which will hurt both our security and personal privacy interests," Clinton says. "Hopefully, enough was retained to improve our security overall; we will have to wait and see."
But Chris Pierson, chief security officer at invoicing and payments provider Viewpost, says the fears of lawsuits against businesses that share cyberthreat information are overplayed. "The provisions of the bill just protect the sharing of information in a written fashion - companies have always been able to share threat information at their discretion," Pierson says. "This makes it easier for the legal department to understand that some protections exist for their security people to share information."
DHS as Info-Sharing Hub
The bill designates the Department of Homeland Security to act as the cyberthreat information-sharing hub between government and business. Civil liberties activists wanted a civilian agency, not a military or intelligence entity such as the National Security Agency, to shepherd the flow of cyberthreat information between government and business. Still, the legislation would not prevent the NSA and other intelligence agencies from getting hold of the cyberthreat information. One provision of the bill would require DHS to establish an automated system to share cyberthreat information in real time with other government agencies. The bill also would allow the president, after notifying Congress, to set up a second information-sharing center if needed.
CISA would require the removal of personally identifiable information from data before being shared. However, the vagueness of the bill's language could result in "more private information [being] shared than the privacy community would prefer," says Paul Rosenzweig, a former Homeland Security deputy assistant secretary for policy, who analyzed the measure's language.
Opaque Process Criticized
Privacy advocates expressed dismay with this latest version of the legislation, particularly the opaque way in which a small group of lawmakers drafted the final version of the measure and then incorporated it into a colossal spending bill. "Such key legislation should not be sandwiched into the omnibus or a 2,000-plus page federal spending bill," says Mark Jaycox, legislative analyst for the Electronic Frontier Foundation, a civil liberties and privacy advocacy group. "This legislation should have followed the normal process: a formal conference committee bill that is sent back to the House and Senate separately for an up-or-down vote. Instead, it's being rammed through Congress via the funding bill."
But several experts caution about making too much of the information-sharing legislation curbing cyberthreats. "It will make the country safer, but only to a very, very small amount," says Martin Libicki, senior management scientist at think tank The Rand Corp. "Information sharing is one of many elements in cybersecurity, and removing liability penalties is only one element of many that will induce information sharing."
The Internet Security Alliance's Clinton picks up that theme: "My biggest fear is that passage of this bill will be misunderstood by policymakers as having addressed the cyber issue; it absolutely has not. Information sharing is just one tool, a useful tool, but not a sufficient tool in the effort to build a more secure cyber ecosystem."
Healthcare Industry Study
Besides CISA, the omnibus bill includes language to require the Department of Health and Human Services to convene a task force 90 days after enactment of the legislation to address the cybersecurity threats facing the healthcare sector. This task force would:
- Analyze how other industries have implemented cybersecurity strategies;
- Evaluate challenges and barriers facing private healthcare organizations in defending against cyberattacks;
- Review challenges the industry confronts in securing networked security devices; and
- Develop a plan to share cyberthreat information among healthcare stakeholders.
The task force would report its findings and recommendations to appropriate congressional oversight committees.