Bill stalls, faces long debates
In the Senate, S. 754, the Cyber Information Sharing Act (CISA) and S. 456, The Cyber Threat Sharing Act of 2015 (CTSA), have been combined under S. 754. That bill is currently stalled in the Senate.
Its fate is very much uncertain. Anton Dahbura, of the Johns Hopkins University Information Security Institute, referring to a story in The Hill, told conference attendees that Senate Intelligence Chairman Richard Burr (R-N.C.) had said it could be well into October before it’s taken up again.
Even then, it could be debated to death, as was the case with bills proposed three years earlier. Dahbura said the bill already has a slate of 22 amendments pending.
The bill has the declared support of the White House, and Schwartz said he thought the Senate bill had improved on earlier efforts, both in the protection of PII and better limitations on the allowed uses of information.
“We think if both bills pass, we can address the remaining problems in the conference committee,” he said.
But there is intense opposition to S. 754 from civil liberties and privacy advocates, and even from the DHS, which, in a letter to Sen. Al Franken (D-Minn.), warned that the sharing provisions of the bill, “could sweep away important privacy protections.”
And on the private-sector side, 40 organizations and 31 individuals signed a letter to the president, contending that S. 754 would violate the administration’s own stated priorities to, “preserve Americans’ privacy, data confidentiality and civil liberties and recognize the civilian nature of cyberspace.”
Bruce Heiman, a partner at K&L Gates, who spoke at the conference on the legal implications of the pending legislation, said there are more risks than benefits to the private sector from such sharing.
But he said whatever the final form of the legislation, it should be scrutinized with at least the following questions:
- What kind of information will be shared?
- Will PII be scrubbed?
- What departments of the government will receive data from the private sector, and what other departments will they share it with? Heiman said DHS, as a civilian agency, should be the “central portal” for the collection of information. The “key issue” after that, he said, is whether it would then be shared with law enforcement or intelligence agencies like the Department of Defense or NSA.
- What can the information be used for?
- What legal liability protections does it provide to the private organizations that share threat information?
Sign up for CIO Asia eNewsletters.