Members of the Senate Intelligence Committee are drafting cyber legislation that would enable companies to share threat data with federal agencies without fear of getting sued, officials said Monday.
Efforts to move comprehensive legislation in this area have failed in recent years, with a bill to establish security standards and ease data sharing going down to defeat in 2012. Recent disclosures about ties between the National Security Agency and telecommunications firms have made it even more difficult to advance legislation that would call for the sharing of data between the government and the private sector.
The House has twice passed information-sharing-only bills — most recently last year — but the Senate has not been able to reach a consensus on the issue.
Still, senior intelligence and military officials recently have renewed calls for legislative action, citing the threat of cyberattacks.
The new, 39-page draft bill, written by Sen. Dianne Feinstein (D-Calif.), chairman of the intelligence committee, and Sen. Saxby Chambliss (Ga.), the ranking Republican, states that no lawsuit may be brought against a company for sharing threat data with “any other entity or the federal government” to prevent, investigate or mitigate a cyberattack.
Protection from lawsuits has been a key demand from industry officials and a point of contention for privacy advocates, who have argued that such an exemption could expose consumers’ data to potential government abuse or even encourage firms that have been hacked to go on the offensive.
In 2012, the advocates persuaded the committee to specify that the threat data could be shared only with a civilian agency. But the new draft leaves open the possibility that data could be sent directly to military or intelligence agencies.
The bill is prompting objections from civil liberties advocates, who say the legislation in its current form is too sweeping.
“This is definitely a step back,” said Gabe Rottman, legislative counsel and policy adviser for the American Civil Liberties Union, who was shown a copy of the draft. “The problem is the definitions of what can be shared and who it can be shared with are too broad. In this draft, companies can share data with the military and the NSA. Given the past revelations, I think it’s important to keep this information in civilian hands.”
A committee aide said staff members were seeking comment so that senators can consider revisions before any formal consideration of the legislation. The bill also would enable the government to share cyberthreat data with industry.
The draft states that information may be shared that “indicates, describes or is necessary” to identify a software vulnerability, computer intrusion or attack. Although it says that personal information should be stripped out before the data are passed on to the government, if the personal information is not “directly related” to the attack, the looseness of the language and the real-time nature of data sharing leave room for error, privacy advocates said.
They also expressed concern that the data could be used not just for cybersecurity but also for foreign intelligence, counterintelligence or law enforcement aims.
Adm. Michael S. Rogers, the director of the NSA and head of the U.S. Cyber Command, said at his confirmation hearing in March that liability protection was “a critical element” of any cyber bill. Rogers, who was confirmed March 31, said such legislation “is a key for our future.”