Cybersecurity Info Sharing Bill Draws Criticism

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bankinfosecurity.com/cybersecurity-info-sharing-bill-draws-criticism-a-7067

Privacy advocates are escalating their objections to the Cybersecurity
Information Sharing Act that overwhelmingly passed the Senate Intelligence
Committee last week.

Experts who have reviewed the legislation, as amended by the committee, say
CISA, as the bill's known, is not substantially different than the Cyber
Intelligence Sharing and Protection Act, or CISPA, which passed the House
of Representatives last year but garnered a presidential veto threat (see:
Obstacles Facing Info Sharing Bill). The White House said CISPA didn't go
far enough to protect civil liberties and offered liability protections it
deemed too broad to businesses that share cyberthreat information (see
White House Threatens CISPA Veto Again). The administration usually doesn't
comment on legislation until a vote is imminent, and a White House
spokeswoman declined to comment on CISA.

CISA has been placed on the Senate legislative calendar, but that doesn't
guarantee that it will be scheduled for floor debate and vote. The office
of Senate Majority Leader Harry Reid, D-Nev., who would schedule a vote,
did not reply to a query about the bill's status.

Objections to the Senate Bill

A group of privacy and civil liberties advocacy groups wrote a letter to
President Obama asking him to issue a new veto threat, saying the language
in CISA, like CISPA, bypasses the administration's previously stated
preference of having a civilian agency lead federal cybersecurity efforts.
Instead, the letter says, both bills favor the automatic and simultaneous
transfer of cybersecurity information to American intelligence agencies,
including the National Security Agency.

The letter also says CISA would allow the government to use shared
cyberthreat information to not just protect vital IT but to aid in criminal
investigations and prosecutions, which the advocates say should be beyond
the scope of the measure. "Because CISA does not remedy any of the failures
the administration previously identified in CISPA and because it fails to
adequately protect all users," the letter says, "we request that you
promptly pledge to veto this dangerous legislation."

One difference between CISA and CISPA is that the Senate bill specifically
addresses antitrust concerns raised by some business leaders who didn't
want to be accused of colluding with competitors if they shared cyberthreat
information. Several lawyers said that concern was unfounded because
sharing data about malware isn't the same as sharing information about
pricing competitive products, which is illegal.

Joseph Bauer, a Notre Dame Law School antitrust professor, says existing
antitrust laws would not have prevented competing businesses from sharing
cyberthreat information, but he says adding antitrust language to CISA
could deter some lawsuits.

"I don't think it changes the existing law," Bauer says of CISA's antitrust
provisions, noting that only about 5 percent of antitrust cases are brought
by the government. "What it may do is make that law clearer, and therefore
either dissuade even a possibility of a lawsuit or, if that lawsuit was
brought, lead to its quick and inexpensive termination."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!