The U.S. Senate is slated this week to take up legislation that aims to bolster cybersecurity by spurring businesses and the federal government to share information about digital threats and best practices with one another.
The measure, known as the Cybersecurity Information Sharing Act, would direct the federal government to develop ways to share information with the private sector while taking steps to protect privacy and civil liberties. The bill also aims to address antitrust concerns by shielding businesses that share information from enforcement of laws that otherwise might dissuade those businesses from cooperating. The House passed a similar measure in April.
The push represents the third time in as many years that Congress has tried to pass legislation that would encourage sharing of cyber threats. Recent cyberattacks on the Office of Personnel Management, Sony Pictures Entertainment and other targets have prompted legislators to try again. Cybercrime costs the global economy more than $400 billion annually, according to a study released jointly last summer by McAfee and the Center for Strategic and International Studies
Though the measure passed the Senate Intelligence Committee in March, maneuvering underway since then has centered on a tension between defending digital networks and protecting the privacy of Americans whose information is stored in those systems.
Among the concerns: the measure could result in companies handing over personally identifiable information to the National Security Agency. Such information might include, for example, the browsing history of someone who happens to have visited a website that becomes the subject of a cyberattack.
On Monday, Senator Al Franken, Democrat of Minnesota, released a letter from the Department of Homeland Security (DHS), which cautioned against allowing companies to share information with intelligence agencies without first channeling the information through DHS. “The Administration has consistently maintained that a civilian entity, rather than a military or intelligence agency, should lead the sharing of cyber threat indicators and defensive measures with the private sector,” wrote Alejandro Mayorkas, the deputy secretary of homeland security.
“The authorization to share cyber threat indicators and defensive measures with ‘any other entity or the Federal Government,’ ‘notwithstanding any other provision of law’ could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers,” Mayorkas added.
Though Senators Richard Burr, Republican of North Carolina and chairman of the intelligence panel, and Dianne Feinstein, the committee’s top Democrat, have circulated an amendment that aims to address concerns over the legislation’s impact on privacy, some civil liberties groups say the fixes don’t go far enough. According to the Center for Democracy and Technology, the bill as modified still would authorize the government to use information about cyber threats to investigate and prosecute crimes of espionage, identity theft and trade secrets violations, regardless whether those infractions tie to cybersecurity.
The White House backs passage of cybersecurity legislation but has called on Congress to strengthen protections for privacy and to narrow an exemption from liability for companies that fail to secure their networks after receiving information they receive.
That leaves the question whether the measures actually may cause businesses and the government to exchange more information about cyber threats. While the measure aims to ease companies’ fears of legal liability, the Department of Justice and the Federal Trade Commission already have advised companies “that properly designed sharing of cyber threat information should not raise antitrust concerns.”
And as N. Eric Weiss of the Congressional Research Service observed in June, sharing of cyber threats happens currently. Industries ranging from retail to financial services participate in so-called information sharing and analysis centers (ISACs) that serve as clearinghouses for information about cyber threats.
“The ‘bottom line’ is how likely nonfederal entities—particularly businesses—value the benefits from sharing information against the cost of sharing,” wrote Weiss, who notes that neither bill would address the cost of membership in ISACs, which can cost anywhere from $10,000 to $100,000 to join and thus might exceed the ability of small and medium-sized businesses to afford.
Still, the wave of cyberattacks—and the fallout from them—might cause businesses to think anew about the advantages of sharing. “Although most data breaches have not been expensive compared with the revenues and profits earned,” noted Weiss, “recent events may change the attitude of boards of directors and senior management: the chief executive officers at Target and Sony Entertainment were forced to resign.”