Senate panel secretly approves cyberthreat sharing bill

13.03.2015
A U.S. Senate committee has voted in secret to approve a controversial bill that seeks to encourage businesses to share information about cyberthreats with each other and with government agencies.

The Senate Intelligence Committee, meeting behind closed doors, voted 14-1 late Thursday to approve the Cybersecurity Information Sharing Act [CISA], even though Senator Ron Wyden, who cast the lone vote against the legislation, said it doesn't adequately protect privacy.

"If information-sharing legislation does not include adequate privacy protections, then that's not a cybersecurity bill -- it's a surveillance bill by another name," Wyden said in a statement. The bill would have a "limited impact" on U.S. cybersecurity, he added.

The committee released a discussion draft of the bill last month, but did not publicly release an updated text of CISA before voting to send it to the Senate floor. The committee will release the text of the bill after amendments are added to it, it said in a news release.

The legislation would protect companies that share cyberthreat information from consumer lawsuits and would set up an information-sharing portal at the U.S. Department of Homeland Security, committee leaders said.

Typically, lawmakers introduce legislation weeks before a congressional committee takes action, and committees nearly always vote to amend and approve bills in open meetings. The Senate Intelligence Committee often meets in closed session to discuss intelligence and national security issues, but it's unclear how a cyberthreat information-sharing bill would have an immediate connection to national security.

The Intelligence Committee bill is sponsored by Senator Richard Burr, a North Carolina Republican and committee chairman, and Senator Dianne Feinstein, a California Democrat who has been one of the strongest defenders of U.S. government surveillance programs after leaks by former U.S. National Security Agency contractor Edward Snowden.

CISA narrowly defines what information companies can share, Burr said in a statement. The bill is "critical to securing our nation against escalating cyberthreats," he added. "With risks growing every day, we are finally better prepared to combat cyberattackers with this bill."

After the committee released its discussion draft of the bill, a group of 26 digital rights and privacy groups and 22 security experts signed a letter opposing that version. The discussion draft proposed to give the NSA "automatic access" to personal information shared with government agencies and allowed companies to engage in "dangerous" countermeasures during cyberattacks, said the letter, signed by the Center for Democracy and Technology, the American Civil Liberties Union, the Electronic Frontier Foundation and other groups.

While the committee pledged to add more privacy protections to the discussion draft, it's not clear what those protections are, said Robyn Greene, policy counsel with the New America Foundation's Open Technology Institute.

"The devil is in the details ... and we will be looking very closely at the language to determine whether the changes effectively protect Americans' privacy," Greene said by email. "Based on how dangerously broad and vague the last version of the bill was, it would be surprising if the bill agreed to in secret today will garner the support of the privacy community."

The committee also held a closed vote on a cyberthreat information-sharing bill during the last session of Congress, when Feinstein was chairwoman. That legislation failed to pass through Congress partly because digital rights and privacy groups voiced privacy concerns.

A similar bill, the Cyber Intelligence Sharing and Protection Act [CISPA] failed to pass through Congress in 2013 after online protests over the amount of information it would allow companies to share.

Still, momentum to pass a cyberthreat sharing bill may be growing. Early this year, President Barack Obama called on Congress to pass a bill that includes privacy protections, but it's unclear how his proposal differs from the Senate Intelligence version.

In February, Senator Tom Carper, a Delaware Democrat, introduced the Cyber Threat Sharing Act, which is similar to Obama's proposal. That bill has been referred to the Senate Homeland Security Committee, but the committee hasn't acted on it yet.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Grant Gross