The Chairman of the Senate Intelligence Committee said on Wednesday he expects cyber security legislation that promotes the voluntary sharing of cyber threat indicators between the private sector and the federal government and within the private sector to come to a vote either Monday evening or Tuesday.
The Senate on Thursday is expected to vote to invoke cloture on the Cybersecurity Information Sharing Act (CISA, S. 754) to allow debate to begin and amendments be considered without the threat of a filibuster. Should the Senate pass the bill next week, it would then go to a conference with the House, which earlier this year passed two similar pieces of legislation aimed at promoting the sharing of cyber security threat indicators between and among the private and public sectors.
The CISA bill is co-sponsored by Intelligence Committee Chairman Richard Burr (R-N.C.) and Vice Chairman Sen. Dianne Feinstein (D-Calif.). The committee marked up the bill in March and approved it by a vote of 14-1 (Defense Daily, March 12.).
The bill has the support of the United States Chamber of Commerce and other business groups such as the National Association of Manufacturers and the American Banking Association but it is also opposed by some technology companies such as Apple [AAPL] and Twitter [TWTR].
The Electronic Frontier Foundation, a non-profit organization that defends civil liberties in the digital age, is against CISA saying its liability protection provisions meant to incentivize the private sector to share cyber threat data with the government are just “vague definitions that do not define what information can and cannot be shared, information can be used for purposes unrelated to cybersecurity, and has the potential to be used as another tool to conduct surveillance.”
Sen. Ron Wyden (D-Ore.), the lone dissenter when the Intelligence Committee approved the bill in March, repeated his opposition to the bill Wednesday on the Senate floor on Wednesday saying it is a “surveillance bill.” Wyden plans to introduce an amendment to strengthen privacy protections, his key gripe with the measure.
Burr and Feinstein both said on Thursday that any information sharing done by the private sector under the provisions of the bill is voluntary and that companies that don’t want to participate don’t have to.
The manager’s package submitted by Burr on Tuesday afternoon when discussion of CISA began on the Senate floor includes 14 amendments from a number of colleagues. Feinstein said the manager’s amendment includes new privacy protections that were made before the congressional recess in August as well as the 14 new amendments.
Among the changes to the bill contained within the manager’s package and related amendments include a provision that eliminated the government’s ability to use cyber information to investigate and prosecute “serious violent felonies,” clarifies the types of cyber information sharing that can be done outside of the information sharing portal with the Department of Homeland Security, requires notification to U.S. persons when privacy information is mistakenly shared, requires a studies of cyber threats to mobile devices used at federal civilian agencies and of cyber security at the Department of Health and Human Services and the health sector, and directs the State Department to develop an international cyber policy.
Rep. Michael McCaul (R-Texas), chairman of the House Committee on Homeland Security, was skeptical of CISA because it does not contain enough privacy protections and focuses on the intelligence community (IC) over the Department of Homeland Security (DHS).
“The Senate is rolling out their CISA bill, which is a throwback to the CISPA bill, which was drafted pre-Snowden and before my bill passed the House. And my concerns really are as follows: that it not conflict with current law, that it not undermine the achievement that we had last Congress in passing five critical cybersecurity bills with the privacy protection. My concern with the Senate bill is that it weakens the roll of DHS and elevates the role of the IC, the intelligence community, as the storefront, rather than the civilian agency, civilian portal being the storefront,” McCaul said at the Kaspersky 2015 Government Cybersecurity Forum on Tuesday.
Earlier this year two cybersecurity information sharing bills passed the House, one originating from McCaul in the Homeland Security Committee, the National Cybersecurity Protection Advancement Act (NCPAA) of 2015 (H.R. 1731) (Defense Daily, April 23). That bill would direct private sector information sharing with the government to a DHS portal.
“I’m very concerned that a NSA-centric rather than DHS-centric bill will have little or no hope of passing the House. And I had to work this very, very hard in the House to get a coalition of people, both the libertarians on the left and people on the far left to come together to try to do a security bill that had the strong liability protections. In my judgment, that’s the only way you can get this done. It’s the right thing to do policy-wise and it just happens to be the right thing to do politically I think as well,” McCaul added
“I’m dedicated to preserving the privacy of Americans in this process and what I’m concerned about is if they damage that in the Senate in any way, it could bring down the entire effort that we worked so hard to do to provide an information sharing system for these malicious codes, which in turn will protect our critical infrastructures in the United States.”
However, McCaul’s thinking may be changing given the manager’s package introduced by Burr.
“We’ve been working very closely with our Senate counterparts in addressing the appropriate civilian role and enhancing privacy protections. Based on the newly released manager’s amendment, there seem to be positive developments, however, we are still reviewing the technical language,” a congressional aide familiar with the discussions said Wednesday.