Senate panel approves data-sharing cybersecurity bill

The Senate Intelligence Committee voted to approve a cybersecurity bill on Tuesday that proponents say will help stop attacks by reducing legal obstacles to data-sharing between businesses and the government.

The text of the Cybersecurity Information Sharing Act, which passed 12-3, has not been released to the public yet. Committee chairwoman and the bill's co-author Sen. Dianne Feinstein (D-Calif.) trumpeted its passage in a statement.

"Cyber-attacks present the greatest threat to our national and economic security today, and the magnitude of the threat is growing," she said. "Every week we hear about the theft of personal information from retailers and trade secrets from innovative businesses, as well as ongoing efforts by foreign nations to hack government networks."

Feinstein and Saxby Chambliss (R-Ga.), the bill's co-author and committee vice-chairman, said that the bill is an important piece of anti-terrorism legislation. Chambliss said, "The legislation passed out of committee today is a strong, bipartisan bill that encourages the private sector and the government to share information voluntarily about these threats, without fear of frivolous lawsuits and without unnecessary bureaucratic obstacles."

Feinstein said that the bill would require the director of national intelligence to share more classified and unclassified threat information with businesses than it currently does. It states that the sharing of "cyber threat information" is voluntary and that "appropriate measures" must be taken to prevent the sharing of personal identifying data, including oversight by the Privacy and Civil Liberties Oversight Board.

Without the actual language of the bill, it's hard to determine which specific problems the bill is attempting to remedy. Electronic Frontier Foundation attorney Mark Jaycox told CNET that Executive Order 13636 authorizes "a tremendous amount of sharing" between the government and businesses and between companies through their publication of threats and disclosure lists.

"From the press release, the privacy protections are still severely lacking as compared to last year's Senate cybersecurity bill," he said. "And we're still very much concerned about the new powers to monitor users and launch countermeasures."

Although Feinstein's statement notes that technical changes are planned to clarify how and when entities will be allowed to share information, Jaycox isn't hopeful that they will err on the side of privacy. The problems are perennial concerns for privacy advocates.

"The bill appears to retain many of the same problems that President Obama pointed to when he threatened to veto CISPA in both 2012 and 2013," he said. The Cyber Intelligence Sharing and Protection Act is the House of Representatives' version of the bill.

Only one of the eight amendments that Feinstein said have been voted for inclusion in the bill is explicitly more privacy-protective. Sen Martin Heinrich (D-N.M.) wrote one that was approved requiring the attorney general to determine a specific limitation on how long cyber information can be retained.

Two of the three votes against the bill came from Senate Democrats Ron Wyden and Mark Udall, who said they voted against it because of its weak privacy protections. The identity of the third Senate Intelligence Committee member who voted against the bill has not been revealed, in accordance with the rules of the committee.

If the bill is passed by the senate, it stands a good chance of making it to President Obama's desk. House Intelligence Committee Chairman Mike Rogers (R-Mich.) and its top Democrat Dutch Ruppersberger released a joint statement of support today, presuming the bill will pass the full Senate.

"We are confident that the House and the Senate will quickly come together to address this urgent threat and craft a final bill that secures our networks and protects privacy and civil liberties," they said.

Update, July 9 at 11:53 a.m.: to note that the roll call for Senate Intelligence Committee votes are secret by default, per committee rules.