Wednesday, October 21, 2015

‘Voluntary’ Cybersecurity Bill Again on Tap in Senate

By Mark S. Nelson, J.D.

The full Senate began consideration of an amended cybersecurity bill that earlier this year succumbed to privacy worries and political resistance when the bill’s sponsor tried to attach it to other must-pass defense legislation. Senator Richard Burr (R-NC), chairman of the Senate Select Committee on Intelligence, and Sen. Dianne Feinstein (D-Cal), the committee’s vice chairman, offered an amendment they say deals with the concerns that stymied the chamber’s prior efforts to match two bills already passed by the House.

Chairman Burr emphasized the “voluntary” nature of the amended bill while reiterating its importance in light of ongoing cyber threats. In later floor statements, the senator would liken the bill to a community watch program. The original version of the Cybersecurity Information Sharing Act of 2015 (S. 754) sailed through the intelligence committee on a strong bipartisan 14-1 vote in March.

The Chairman and Sen. Feinstein issued a myth-versus-fact FAQ on the changed bill. Chairman Burr said he expected a conference with the House once the Senate passes its cyber legislation. Previously, the Obama administration had expressed a few concerns about one of the related House bills, but said it hoped the Senate and House could work out any differences.

Chairman Burr said a managers’ amendment would drop a key provision from the original Senate bill regarding the government’s ability to prosecute non-cyber felonies exposed via cybersecurity information sharing. The amendments also would ensure that information could be shared only for cybersecurity purposes. These changes, Sen. Burr said, counter opponents’ argument that the legislation is just a surveillance bill.

The chairman invited his colleagues to come forward with their amendments and let the chamber vote on them. According to the chairman, the cyber bill can be voted on within a “couple” of days, but any attempts to “obstruct” it would require the Senate to spend more time mulling the proposal.

Senator Feinstein said she agreed broadly with Chairman Burr’s description of the changed bill and that she hoped the Senate would act quickly to pass it. But she said the bill is only a first step to repel those who would engage in cyber-attacks and cyber-intrusions, a move she said is needed to counter the shifting tenor of cyber breaches from mere theft to more attack-centric goals. Like Chairman Burr, Sen. Feinstein also noted the voluntary nature of the bill.

She said the amended bill would make clear that the federal government can share cyber information with the private sector and with state and local authorities. The bill also lets companies monitor their own networks for cybersecurity purposes only, to implement limited defensive measures (albeit without harming any other network), and to share and receive limited cyber threat information or defensive measures with other companies and the government (but not any non-cybersecurity information).

Moreover, Sen. Feinstein said the bill would create a “portal” within the Department of Homeland Security to centralize the government entry point for cybersecurity information. The legislation also sets up a framework for the issuance of guidelines to make sure cyber threat information is available to all federal agencies and to limit the privacy impact on shared information.

But not all members are satisfied with the proposed amendments. Senator Ron Wyden (D-Or) said even the managers’ amendment does too little to address core privacy worries. He also noted the bill is voluntary for companies, but it is mandatory for their customers, who may never know that the companies they deal with have elected to participate in sharing cyber treat information. Yet he said his “strongest point of disagreement” is the lack of a strong requirement to filter out personal information about customers gathered via permitted activities.

Kenneth E. Bentsen, Jr., president and CEO of the Securities Industry and Financial Markets Association, which represents a wide swath of the securities industry, said he backs the Senate's latest effort to deal with cybersecurity. The U.S. Chamber of Commerce also supports the legislation, a point Chairman Burr noted on the Senate floor. But Sen. Wyden told members that many business software groups still oppose the Senate bill.