Senate bill aims to promote information sharing to combat cyberthreats, but critics contend it lacks privacy protections.
The Senate Intelligence Committee on Tuesday approved the Cybersecurity Information Sharing Act (CISA), a bill ostensibly designed to enhance cyber security, but which alarms privacy advocates.
The bipartisan legislation, authored by Senate Intelligence Committee chair Dianne Feinstein (D-CA) and vice chair Saxby Chambliss (R-GA), seeks to promote information sharing about cyberthreats among government agencies and private sector companies.
The bill passed by a vote of 12-3 and now awaits further consideration by the Senate. Its counterpart, the Cyber Intelligence Sharing and Protection Act (CISPA), passed the House last year. Concern about CISPA prompted a petition that collected more than 117,000 signatures and a veto threat from the White House, which has already issued a similar executive order to promote cyber security and improve critical infrastructure.
Senator Feinstein in a statement characterized cyber attacks as the greatest threat to our national and economic security today. "To strengthen our networks, the government and private sector need to share information about attacks they are facing and how best to defend against them," she said. "This bill provides for that sharing through a purely voluntary process and with significant measures to protect private information."
Privacy groups, however, contend that the legislation does not do enough to protect private information. In a letter sent last month to Feinstein and Chambliss, the American Civil Liberties Union, the Center for Democracy and Technology, the Competitive Enterprise Institute, the Electronic Frontier Foundation, and more than a dozen other advocacy groups warned that CISA ignores the outcry over the revelations about the scope of NSA data gathering.
"Instead of reining in NSA surveillance, the bill would facilitate a vast flow of private communications data to the NSA," the letter said. "CISA omits many of the civil liberties protections that were incorporated, after thorough consideration, into the cyber security legislation the Senate last considered."
The letter decried the bill's militarization of civilian cyber security, its lack of limitations, its failure to protect personal information, its overbroad liability protection for countermeasures, its overbroad definition of cyber security threats, and the threat it poses to net neutrality regulations.
Feinstein and Chambliss insist the bill is narrowly focused on cyber security and does not affect net neutrality.
US Senators Ron Wyden (D-OR) and Mark Udall (D-CO) issued a joint statement opposing the bill due to its lack of privacy protections and to doubts about its ability to actually improve cyber security.
"We agree there is a need for information-sharing between the federal government and private companies about cyber security threats and how to defend against them," said Wyden and Udall. "However, we have seen how the federal government has exploited loopholes to collect Americans' private information in the name of security."
Nobody wants to be the next data breach headline. But ensuring that cyber security defenses are operating effectively and efficiently is a monumental challenge, given the sheer volume of information coming at us. Here's how to streamline your program. Get the Metrics That Work: Practical Cyber-Security Risk Measurements report today (registration required).
Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?