Controversial Cybersecurity Bill Clears Senate In Bipartisan Vote

28 Oct 2015 | Author: | No comments yet »

Senate Approves Cybersecurity Bill: What You Need To Know.

The latest clash in the cybersecurity-vs.-privacy debate played itself out in Congress on Tuesday when the Senate approved the Cybersecurity Information Sharing Act. WASHINGTON (AP) — The Senate passed a bill Tuesday aimed at improving cybersecurity by encouraging companies and the government to share information about threats.The Senate on Tuesday passed CISA, a controversial bill encouraging companies to share private user data with the government that is worrying to civil liberties advocates. All that is needed for companies to hand over huge swaths of information to the government is for it to contain “cyber threat indicators” – a vague phrase that can be interpreted to mean pretty much anything.

Your personal information – which can include the content of emails – will be handed over to the Department of Homeland Security, the agency supposedly responsible for the nation’s cybersecurity. The legislation, by Senate Intelligence Committee Chairman Richard Burr, R-N.C., and Vice Chairman Dianne Feinstein, D-Calif., must now be reconciled with two similar bills passed by the House earlier this year. None of the Republican presidential candidates (except Lindsey Graham, who voted in favor) were present to cast a vote, including Rand Paul, who has made privacy from surveillance a major plank of his campaign platform. The Senate rejected amendments, including one addressing concerns that companies could give the government personal information about their customers. The White House announced support last week for the Senate bill, although it stated a desire for some revisions before it lands on President Barack Obama’s desk.

From there the information can be sent along to the NSA, which can add it to databases or use it to conduct even more warrantless searches on its internet backbone spying (which once again, a judge ruled last week could not be challenged in court because no one can prove the NSA is spying on them, since the agency inevitably keeps that information secret). Ahead of the vote a group of university professors specializing in tech law, many from the Princeton Center for Information Technology Policy, sent an open letter to the Senate, urging them not to pass the bill. Congress was under pressure to act in the wake of recent high-profile cyber attacks against T-Mobile, Anthem health insurance, Sony Pictures, JPMorgan Chase, Target, Home Depot, the Internal Revenue Service and the federal Office of Personnel Management. Just last week, federal officials confirmed that they are investigating reports that a teenage hacker broke into the personal email accounts of CIA Director John Brennan and Homeland Security Secretary Jeh Johnson. “The challenges posed by cyber attacks are real and they’re growing,” said Majority Leader Mitch McConnell, R-Ky. “Everyone understands that a cyber attack can be a deeply invasive attack on personal privacy. Led by Princeton’s David S Levine, the group joined a chorus of critics including many of the largest technology companies, notably Apple, and National Security Agency (NSA) whistleblower Edward Snowden in calling for Cisa to be scrapped.

A round of amendments intended to strengthen some of the bill’s privacy protections failed on Tuesday as the bill’s bipartisan sponsors warned last-minute changes could upset the balanced language that was the culmination of years of negotiations. That’s why everyone should want to see the bipartisan cybersecurity bill … pass.” Minority Leader Harry Reid, D-Nev., said senators needed to act to help prevent an attack by cyber terrorists against the nation’s power grid, banks, or communication networks. “Cyber terrorists could potentially bring the United States to its knees,” Reid said. “Imagine the toll of such an attack: massive power blackouts; no telephone or Internet capability; overwhelmed first-responders; and an infrastructure system reduced to chaos.” Supporters of the legislation overcame strong opposition from privacy advocates, who argued the bill would enable more government spying on citizens by allowing companies to turn over their customers’ information to federal agencies without consumers’ permission. Under the bill, companies would have increased liability protection when collecting and sharing user person information that could potentially be related to security threats. The bill’s passage through the Senate was a defeat for digital privacy activists who celebrated the passage in June of a law effectively ending the NSA’s bulk collection of U.S. call metadata. Ron Wyden, D-Ore., a leading privacy rights advocate, said opposition to the bill by tech companies such as Apple, Google, Microsoft, and Twitter underscored the bill’s weak privacy provisions. “Sharing information about cybersecurity threats is a worthy goal,” Wyden said. “Yet if you share more information without strong privacy protections, millions of Americans will say, ‘That is not a cybersecurity bill.

The curtailment of that program, which had been exposed in 2013 by former NSA contractor Edward Snowden, represented the first significant restriction of the U.S. government’s intelligence-gathering capabilities since the Sept. 11, 2001, attacks. The data in question would come from private industry, which mines everything from credit card statements to prescription drug purchase records to target advertising and tweak product lines.

The Wyden amendment would have inserted language to protect personally identifiable information by making companies remove it “to the extent feasible” because personal information doesn’t provide information about cyber threats. This is the state of “cybersecurity” legislation in this country, where lawmakers wanted to do something, but lacking any sort of technical expertise – or any clue at all what to do – just decided to cede more power to intelligence agencies like the NSA. It also prohibits the government from monitoring private networks and retaining cyber threat information for anything other than cybersecurity purposes.

In exchange for participating, the companies would receive complete immunity from Freedom of Information Act requests and regulatory action relating to the data they share. The bill, which used to be known as Cispa, has been festering in Congress for years, and now it looks like it will finally head to the President’s desk.

Burr said the bill won’t prevent all cyber attacks but will lessen their impact by helping to stop them from spreading from one company or government agency to another. DHS would then share the information throughout the government Among the bill’s opponents are industry groups representing a broad swath of tech companies, several of which have come out individually against the bill in addition to statements from industry trade groups. Wyden also criticized the fact that CISA’s information sharing is promoted as voluntary, even though it is only voluntary for companies ‒ not customers. The average cost of a data breach for a company is $3.8 million and growing, said Ann Beauchesne, senior vice president for national security at the U.S. After accusations that the company had been informally calling senators to say they wouldn’t oppose the bill, Facebook said it had not lobbied in Cisa’s favor, but that it did not have a public stance on it.

It will be mandatory for their customers,” Wyden said about the bill earlier in October. “And the fact is the companies can participate without the knowledge and consent of their customers, and they are immune from customer oversight and lawsuits if they do so.” The Heller amendment was put forth by Sen. Jeff Flake, R-Ariz., to require the bill — if it becomes law — to expire in 10 years so that Congress can decide whether it is working and should be renewed.

Many companies don’t realize they’ve been attacked, either because they’re not investing in services to identify breaches or not reading the data they’ve collected. The program created by Cisa wouldn’t be of much use to them – private industry is widely acknowledged to be further down this road than the government – but regulatory and Foia immunity could come in handy. The Sunshine in Government Initiative, a Washington organization that promotes open government policies, urged the Senate last week to support Leahy’s amendment.

The bill must next pass the House of Representatives, a procedure that will likely be much quicker and smoother than the opposition it faced in the Senate from Oregon senator Ron Wyden, among others. Even with the amendment, most information shared between the federal government and companies would already be protected from FOIA requests as it is considered proprietary information. “The vast majority of the exemption is already protected from disclosure,” Leahy said before the amendment came to a vote on Tuesday. Participation is voluntary and companies have long been reluctant to tell the U.S. government about their security failures. “Passing the bill will have no effect on improving cybersecurity,” said Alan Paller, director of research for the SANS Institute. “That’s been demonstrated each time sharing legislation has been passed.

Mending that patchwork and others like it in private industry, said researcher Brian Krebs on his blog, Krebs on Security, is a much surer way to improve security. “While many business leaders fail to appreciate the value and criticality of all their IT assets, I guarantee you today’s cybercrooks know all too well how much these assets are worth,” wrote Krebs. “And this yawning gap in awareness and understanding is evident by the sheer number of breaches announced each week.” That gap is always going to be worse in the government than in the private sector, information sharing or not, said Jasper Graham, formerly a technical director the NSA. The cost to companies of disclosing their failings is so great that they avoid it even if there is a major benefit to them of learning about other peoples’ failings.” Cyberattacks have affected an increasing number of Americans who shop at Target, use Anthem medical insurance or saw doctors at medical centers at the University of California, Los Angeles.

Even if you mandate something proven to impede data thieves, like public-key infrastructure (PKI) encryption, you’ll hit a wall. “If you say, ‘Everyone now must use PKI!’ you get one small department saying, ‘Actually, we can’t do that,’ and that’s a nightmare.” Graham said. “Regular organizations aren’t really tied to what Donald Trump says tonight in the same way. The government has to do a better job than it’s currently doing, and the best way to do that is to get bipartisan funding.” Robyn Greene of the New America Foundation characterized the legislation as a “do-something” bill. “The Sony hack really changed the conversation,” Greene said. “You can see that in the way the administration approached cybersecurity – they stopped saying ‘This is is something that has to get done right’ and started saying ‘This is something that has to get done now.’” Al Franken (D-Minnesota) to narrow the bill’s definitions of “cybersecurity threat.” It would have limited that designation to actions that are “reasonably likely to” cause damage to the company’s network, as opposed to CISA’s default “may.” The provision would also limit an aspect of the definition of “cyber threat indicator” to include only information necessary to describe actual harm caused by an incident, not “potential harm,” as in the original bill. The U.S. and the technology industry already operate groups intended to improve sharing of information among the government and businesses, including the Homeland Security Department’s U.S. Back when Democrats controlled the Senate, they blocked a bill with a similar acronym — CISPA (the Cyber Intelligence Sharing and Protection Act) — that had the same thrust.

Our partners
Follow us
Contact us
Our contacts

About this site