Bill Allows Firms To Share Data With Government
The Senate passed a cybersecurity bill last week that would give companies legal immunity for sharing data with the federal government, over the protests of some lawmakers and consumer advocates who say that the legislation does not adequately protect Americans’ privacy.
The Cybersecurity Information Sharing Act, or CISA, must now be reconciled with legislation passed earlier this year by the House.
The Obama administration and lawmakers in both parties have sought for years to enact information-sharing legislation, and it now seems likely to become law.
The 74-to-21 vote comes as digital attacks against private companies and the government put pressure on lawmakers to address information security.
“For me, this has been a six-year effort … and it hasn’t been easy because what we tried to do was strike a balance and make the bill understandable so that there would be a cooperative effort to share between companies and with the government,” Sen. Dianne Feinstein, D-Calif., vice chairman of the Intelligence Committee and co-author of the bill, said on the Senate floor.
But privacy activists argue that the bill lacks robust privacy protections. They expressed concerns with provisions that allow the Department of Homeland Security to share information gathered in the program with other government agencies, such as the FBI or the National Security Agency.
Critics say that effectively turns the legislation into a backdoor surveillance bill that benefits the intelligence community.
The White House expressed qualified support for the legislation in a policy statement last week, indicating it would work to make improvements to the bill during the reconciliation process with the House legislation.
Supporters of the bill argue that the government could better help private companies secure their systems if it has more information about the threats they face. But companies have been reluctant to share information, fearing they would run afoul of privacy regulations, proponents say.
“It clears away the uncertainty and concerns that keep companies from sharing this information,” Feinstein said.
CISA would set up a hub for voluntary information that would be managed by DHS: When a company discovers suspicious activity on its systems, it would give information about the attack to the government, which would warn other companies.
In theory, the information shared would be limited to “threat indicators” — data such as technical information about the type of malware used or the ways that attackers covered their tracks while sneaking through systems.
But the bill also would give participating companies liability protections that could prevent customers from suing them for sharing private data, even in ways that violate a company’s own privacy policy, privacy advocates said.
Critics have warned that the bill, combined with surveillance programs revealed by former government contractor Edward Snowden, could give intelligence agencies more leeway to collect data directly from the infrastructure that supports the Internet.
Many civil liberties groups campaigned aggressively against the bill, with one group sending millions of faxes opposing the bill to congressional offices and pressuring tech companies to take a public stand against CISA.
Some tech giants opposed the bill, including Apple, which has strongly positioned itself on privacy issues. “We don’t support the current CISA proposal,” the company said in a statement. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”
But other tech companies have endorsed CISA, including IBM. “Sharing technical details on the latest digital threats is critical to strengthening America’s cyber defenses,” Timothy J. Sheehy, vice president for technology policy and IBM government and regulatory affairs, said in a statement after the Senate vote.
