Washington—The Cybersecurity Information Sharing Act (S.754), approved Thursday by the Senate Intelligence Committee on a 14-1 vote and introduced yesterday, creates additional incentives to increase sharing of cybersecurity threat information while protecting individual privacy and civil liberties interests and offering liability protection to the private sector.
The bill includes a number of significant modifications from previous versions. These changes address a range of concerns, notably those raised by privacy advocates. In an effort to ensure this year’s bill enjoys strong bipartisan support, committee Chairman Richard Burr (R-N.C.), Vice Chairman Dianne Feinstein (D-Calif.), and ex officio member Senator John McCain reviewed a long list of potential revisions from last year’s bill and adopted many of them.
“One lesson we learned from previous information sharing bills is that we need strong privacy provisions,” Feinstein said. “There has been misinformation about this bill, so let me be clear: The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats—NOT personal information—in order to better defend against attacks. This bill includes more than a dozen significant changes from last year’s version. The privacy provisions are substantial and I believe address many of the concerns that had been raised in regard to earlier drafts of the bill.”
“I’m proud of the Committee’s work and the quality of this bill,” said Burr. “This legislation protects the privacy rights of Americans while also minimizing our vulnerability to cyber-attacks. Information sharing is purely voluntary and companies can only share cyber-threat information and the government may only use shared data for cybersecurity purposes. This legislation provides important liability protection for entities that share cyber threat information as provided in the bill. It further requires that both private and government entities remove personal information prior to sharing. These are protocols which will help minimize the threat to the United States and also ensure that our citizens are less likely to experience the same scale of attacks as we’ve seen in the Sony and Anthem attacks.”
Text of S.754 can be found here.
Clarifying three common misconceptions about the Cybersecurity Information Sharing Act:
- Countermeasures. There is no provision for offensive countermeasures. The bill authorizes “defensive measures” and makes clear this authorization does not extend to actions taken to harm computer networks. The bill also does not include liability protection for the use of defensive measures.
- DHS portal. The bill provides liability protection for sharing information with the government only when it is shared through the DHS portal, through non-electronic means or for two narrow exceptions concerning communications with an entity’s own regulator or communications about a previously shared cyber threat indicator. The Committee removed liability protection for other forms of sharing information that were included in previous drafts.
- How information is used. There is no surveillance authority in this bill. Sharing is purely voluntary and companies can only share cyber-threat information. The government cannot use this information for broad foreign intelligence or counterintelligence purposes, or even for counterterrorism purposes in general. It can only use this cyber threat information for terrorism purposes in the event of an imminent terrorist act. The definition of cyber threat indicator was written to prevent the government from receiving information outside of cyber threats.
The Cybersecurity Information Sharing Act includes a wide range of privacy provisions to safeguard consumer data:
- All cyber information sharing in this bill is completely voluntary. There is no mandatory sharing whatsoever. The government cannot require or pressure companies to share information with it.
- This legislation requires companies to take proactive steps to remove any irrelevant privacy information before sharing with other companies or the government. This means that companies that voluntarily decide to share threat information must review such information and remove any personally identifying consumer information not directly related to a cyber-threat before sharing data.
- The bill carefully restricts the authorization for a company’s monitoring of its own networks to cybersecurity purposes, and it requires a company to obtain authorization and written consent from its customers to monitor their networks.
- By narrowly defining what constitutes a “cyber threat indicator,” the bill drastically limits the amount of information and the types of information that may be shared under the bill.
- The bill strictly limits authorization for “defensive measures” to a company’s own networks or those of their consenting customers. The bill does not authorize any offensive or destructive activities.
- The bill requires the attorney general to develop and publicize mandatory policies, procedures and guidelines for how the government protects and shares data. These must include:
- Limits on the length of time government can retain the information it receives.
- Penalties for any abuses by federal officials.
- Additional privacy protections including notification if any personal information is mistakenly shared.
- The bill creates a “portal” at the Department of Homeland Security to serve as the primary means for the government to receive cyber threat information. This will centralize and simplify the flow of information and ensure that privacy procedures developed by the attorney general are applied to incoming information.
- The government may onlyuse voluntarily shared data under this legislation for cybersecurity purposes, to investigate cyber-attacks, to address imminent threats to life and imminent terrorist attacks, and to investigate computer-related crimes and serious, violent felonies.
- The liability protection contained within the bill does not apply to activities that fail to meet the bill’s privacy requirements or to any grossly negligent or willful misconduct, and companies are required to comply with the bill’s privacy protections before receiving liability protection.
- The bill establishes multiple levels of oversight to include senior government officials, the inspectors general of federal agencies, the Privacy and Civil Liberties Oversight Board and Congress.