Senate Passes Cybersecurity Info Sharing Bill

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.databreachtoday.com/senate-passes-cybersecurity-info-sharing-bill-a-8633

The Senate on Oct. 27 passed by an overwhelming margin the controversial
Cybersecurity Information Sharing Act of 2015, which provides businesses
with liability protections if they voluntarily share cyber threat
information with each other and the federal government. The vote was 74-21.

Now the measure must be reconciled with two related bills passed earlier by
the House, ironing out discrepancies and combining them into one measure to
present to President Obama (see House Oks 2nd Cyberthreat Info Sharing
Bill).

Supporters of CISA, including the Financial Services Roundtable and the
U.S. Chamber of Commerce, among other business groups, argued it will help
pave the way for an increase in the sharing of cyber threat information
that could be used to help prevent breaches. But opponents, including some
privacy advocates and major technology firms, argued that the legislation
would lead to the exposure of private information of American citizens to
spy agencies and law enforcement (see Senate Wrestles with Cyber Threat
Info Sharing Bill).

Long Quest

"This has been a six-year effort, and it hasn't been easy," said Sen Dianne
Feinstein, D-Calif., who led the effort to pass CISA, along with Sen.
Richard Burr, R-N.C. "We've been trying to strike a balance," between the
privacy of citizen's information and better cybersecurity, Feinstein told
her Senate colleagues before the day's lineup of votes. The bill's backers
have worked to make the legislation "understandable to business," she
argued.

"We see the same cyber intrusions used again and again to penetrate
targets," she said. If someone sees malware or other signs of attack,
companies should be able to share information without fear of liability or
violations of antitrust laws, she contended.

The bill approved by the Senate incorporated a package of amendments
bundled together last week. That package includes, for example, an
amendment calling for a study of the cybersecurity of the Department of
Health and Human Services and the healthcare sector and a review of federal
computers that have access to classified information or personally
identifiable information. It also includes some privacy-related provisions,
including certain limits on what data the government can collect and how it
can be used. "We did everything in this bill that we possibly could to
satisfy privacy concerns," Feinstein declared.

Also approved was a separate amendment sponsored by Sen. Jeff Flake, R-Az.,
that sunsets CISA after 10 years. Flake had originally proposed sunsetting
the bill after six years.

Rejected Amendments

Before the bill was passed, the Senate rejected a series of other
amendments designed to add a variety of additional privacy-related
provisions to the legislation.

Among the amendments rejected were proposals from Sen. Ron Wyden, D-Ore,
Sen. Dean Heller, R-Nev., and Sen. Chris Coons, D-Del., that generally
would have imposed stricter requirements for the removal of personal
information under certain conditions before cyber threat updates were
shared. Also rejected was a proposal from Sen. Al Franken, D-Minn., to
further restrict the type of information that the government would receive
by redefining "cybersecurity threat" in the bill.

In addition, an amendment from Sen. Patrick Leahy, D-Vermont, to strike a
Freedom of Information Act exemption from the bill also failed to pass. In
a statement issued by Leahy's office on Oct. 26, the senator said CISA
contains "an unnecessary provision that would weaken the Freedom of
Information Act, the government's premier transparency law." But Feinstein
argued that eliminating the FOIA exemption in CISA would only embolden
cyber attackers. "Information should not be widely available to hackers,"
she said.

Another proposal that was rejected, from Sen. Tom Cotton, R-Ark., proposed
that businesses that share cyber threat information directly with the FBI
and Secret Service would get the same liability protections as those that
share information via a Department of Homeland Security portal, as called
for under the bill.

Feinstein argued Cotton's proposal had the potential of eating away at
personal privacy protections. There is a need "to limit information to be
shared to DHS," she said. "Information goes to the portal, gets scrubbed,
and then goes to respective agencies. Privacy is protected."

The CISA bill is about sharing information about cyber threats, not
cybercrimes, Feinstein emphasized. "When there is a cybercrime, we're
taking about very different information. The FBI takes a much deeper look
into [crime-related] information."

CISA doesn't mandate businesses share cyber threat information, Sen. Tom
Carper, D-Del., stressed.

"Companies don't have to share information with federal government, but
they can," he said.

Carper also discouraged his Senate colleagues from approving the Cotton
amendment because of the potential that cyber threat information would be
"stove piped" to agencies, such as the FBI, when DHS is the most
appropriate government unit to handle cyber threat information and address
it in real time. The Cotton proposal "is dangerous," he argued.

Strong Reactions

The American Bankers Association lauded the Senate for passing the measure.
"CISA facilitates increased cyber intelligence information sharing between
the private and public sectors, and strikes a balance between protecting
consumer privacy and allowing information sharing on serious threats to our
nation's critical infrastructure," the ABA said in a statement.

Nevertheless, the ABA expressed some concerns about the measure. "While
CISA will help our industry work more effectively with the federal
government and other sectors to better protect our customers from cyber
threats, we're concerned that some provisions adopted by the Senate may
have the unintended consequence of making information sharing less
effective. In particular, a provision that would change the inherent
voluntary nature and structure of CISA by allowing DHS to create
cybersecurity standards for critical infrastructure that would have the
practical impact of regulation is unnecessary and harmful."

Fight for the Future, an advocacy group that strongly opposed CISA because
it claims the measure would lead to the exposure of American's private
information to spy agencies and law enforcement, said in a statement that
the bill "codifies the U.S. government's unconstitutional spying programs
while completely failing to prevent cyberattacks."

The group also said: "By supporting a bill that has been resoundingly
rejected by security experts, tech companies and advocacy groups from
across the political spectrum, these politicians have highlighted the
brokenness of our political system and exposed the reality that U.S.
Congress is one of the Internet's greatest foes."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!