The Senate Intelligence Committee advanced a cybersecurity bill Tuesday that would grant legal immunity for companies to share computer threat data with the government.
The 12-3 vote, which moves the bill closer to a floor debate, cheered lawmakers who have been pushing for such legislation for several years. But it dismayed civil liberties advocates who say the Cyber Information Sharing Act, or CISA, fails to adequately shield Americans’ privacy.
“To strengthen our [computer] networks, the government and private sector need to share information about attacks they are facing and how best to defend against them,” Sen. Dianne Feinstein (D-Calif.), the committee chair, said in a statement after the closed session. “This bill provides for that sharing through a purely voluntary process and with significant measures to protect private information.”
A similar bill to provide companies liability protection passed the House last year. But the White House threatened to veto that bill, known as CISPA -- for the Cyber Information Sharing and Protection Act -- if Congress approved it without strengthening privacy protections. The committee has consulted with the White House and, members said, they believe they have a bill that balances privacy concerns with the desire to improve computer network security.
The Senate bill would authorize companies to monitor their own networks for cyber threats and implement countermeasures to block those threats. Any sharing of threat data -- such as malware -- would be for cybersecurity purposes only, and companies must take steps to avoid sharing personally identifying information, such as names and social security numbers.
The threat data would be sent to a Department of Homeland Security “portal” and then shared in real time with other federal agencies that have cyber missions, such as the Defense Department, the National Security Agency and the FBI.
Two committee members who opposed the bill said they agreed there was a need for information-sharing. “However, we have seen how the federal government has exploited loopholes to collect Americans' private information in the name of security,” Sens. Ron Wyden (D-Ore.) and Mark Udall (D-Colo.) said in a statement. “The only way to make cybersecurity information-sharing effective and acceptable is to ensure that there are strong protections for Americans’ constitutional privacy rights.”
Wyden and Udall were alluding to disclosures over the past year about National Security Agency intelligence collection, which includes a counterterrorism program to gather millions of Americans’ phone call detail records that had been authorized under a secret interpretation of surveillance law. A former NSA contractor, Edward Snowden, revealed the program and its authorization by the Foreign Intelligence Surveillance Court. Congress is debating legislation to end the NSA’s collection of the data.
Privacy advocates also expressed concerns.
“Users' communications information will continue to flow to the NSA under a cyber security umbrella even when it is irrelevant to a cyber threat,” said Gregory T. Nojeim, senior counsel for the Center for Democracy & Technology. “This is unacceptable."
Gabe Rottman, American Civil Liberties Union legislative counsel, said the bill is “a step back” from 2012, when similar Senate legislation had greater restrictions on sharing that safeguarded privacy.
“It’s extraordinary given what we’ve learned in the past year,” said Rottman, referring to the Snowden disclosures. “You would hope that Congress would be more protective of privacy rather than less.”
Some privacy advocates said the bill appeared to grant new powers to companies to “hack back” or conduct cyber counter-attacks against hackers who have intruded on their networks, to include deleting or encrypting data. A committee aide said the bill “does not authorize hack-backs or offensive cyber countermeasures.” The bill limits the use of countermeasures to one’s own network or to a client’s computer with their permission, the aide said.
Sen. Saxby Chambliss (R-Ga.), the committee vice chairman, said the legislation passed by the committee “is a strong, bipartisan bill” and he urged the Senate to take it up and pass it before the August recess.