The Senate Intelligence Committee on Tuesday approved the Cybersecurity Information Sharing Act (CISA), a bill ostensibly designed to enhance cyber security, but which alarms privacy advocates.
The bipartisan legislation, authored by Senate Intelligence Committee chair Dianne Feinstein (D-CA) and vice chair Saxby Chambliss (R-GA), seeks to promote information sharing about cyberthreats among government agencies and private sector companies.
The bill passed by a vote of 12-3 and now awaits further consideration by the Senate. Its counterpart, the Cyber Intelligence Sharing and Protection Act (CISPA), passed the House last year. Concern about CISPA prompted a petition that collected more than 117,000 signatures and a veto threat from the White House, which has already issued a similar executive order to promote cyber security and improve critical infrastructure.
Senator Feinstein in a statement characterized cyber attacks as the greatest threat to our national and economic security today. "To strengthen our networks, the government and private sector need to share information about attacks they are facing and how best to defend against them," she said. "This bill provides for that sharing through a purely voluntary process and with significant measures to protect private information."
[Want to be a better miner? See 6 Tips for Using Big Data to Hunt Cyberthreats.]
Privacy groups, however, contend that the legislation does not do enough to protect private information. In a letter sent last month to Feinstein and Chambliss, the American Civil Liberties Union, the Center for Democracy and Technology, the Competitive Enterprise Institute, the Electronic Frontier Foundation, and more than a dozen other advocacy groups warned that CISA ignores the outcry over the revelations about the scope of NSA data gathering.
"Instead of reining in NSA surveillance, the bill would facilitate a vast flow of private communications data to the NSA," the letter said. "CISA omits many of the civil liberties protections that were incorporated, after thorough consideration, into the cyber security legislation the Senate last considered."
The letter decried the bill's militarization of civilian cyber security, its lack of limitations, its failure to protect personal information, its overbroad liability protection for countermeasures, its overbroad definition of cyber security threats, and the threat it poses to net neutrality regulations.
Feinstein and Chambliss insist the bill is narrowly focused on cyber security and does not affect net neutrality.
US Senators Ron Wyden (D-OR) and Mark Udall (D-CO) issued a joint statement opposing the bill due to its lack of privacy protections and to doubts about its ability to actually improve cyber security.
"We agree there is a need for information-sharing between the federal government and private companies about cyber security threats and how to defend against them," said Wyden and Udall. "However, we have seen how the federal government has exploited loopholes to collect Americans' private information in the name of security."
Nobody wants to be the next data breach headline. But ensuring that cyber security defenses are operating effectively and efficiently is a monumental challenge, given the sheer volume of information coming at us. Here's how to streamline your program. Get the Metrics That Work: Practical Cyber-Security Risk Measurements report today (registration required).