Senate panel approves controversial cybersecurity bill

Despite privacy concerns, committee passes bill that encourages US companies to share information about security breaches with each other and government agencies.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
3 min read

The bill is designed to free companies of legal liability when sharing data about breaches.

The Senate Intelligence Committee approved a controversial cyberscurity bill on Thursday that's designed to help companies and the federal government better defend against the growing threat of data breaches.

Approved by a 14-1 vote, the Cybersecurity Information Sharing Act (CISA) aims -- by providing expanded legal liability protections to companies sharing data -- to encourage US companies to share information about security breaches with each other and government agencies. Supporters argue that the legislation is necessary to reduce the impact of an uptick in the theft of customers' personal information.

"This current bill is critically important both for our agencies that keep the country safe, and the institutions that hold millions of Americans' personal information," Sen. Richard Burr, a North Carolina Republican and chairman of the panel, said in a statement.

The committee passed a similar bill last year by a 12-3 vote, but the measure stalled after privacy advocates raised concerns that it would reinforce government powers to conduct surveillance on US citizens, particularly after former NSA contractor Edward Snowden released details of the secret spying programs.

Sen. Ron Wyden, the only lawmaker to vote against the new bill Thursday, said the measure "lacks adequate protections for the privacy rights of American consumers, and...will have a limited impact on US cybersecurity."

"This information-sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens," Wyden said in a statement. "If information-sharing legislation does not include adequate privacy protections, then that's not a cybersecurity bill -- it's a surveillance bill by another name."

After a draft of the bill circulated last month, the White House, some congressional Democrats and privacy advocates raised concerns that the wording in the draft could make it easier for the US government to spy on its citizens. Burr and Dianne Feinstein, the intelligence panel's ranking Democrat, released a statement Wednesday that some of those privacy concerns would be addressed in compromise amendments introduced before today's vote.

"We are glad that the Senate Intelligence Committee heard the privacy community's concerns, and we're eager to see if the changes to the bill will adequately address the significant threats to privacy and Internet security that CISA has raised," Robyn Greene, policy counsel with New America's Open Technology Institute, said in a statement Thursday. "Based on how dangerously broad and vague the last version of the bill was, it would be surprising if the bill agreed to in secret today will garner the support of the privacy community."

The increased legislative attention comes amid an uptick in data security breaches. Hacks on businesses and government agencies ran rampant in 2014 -- there were more than 1,500 data breaches worldwide, up nearly 50 percent from 2013.

Among the recent high-profile security breaches, a hack at Home Depot last year exposed 56 million credit card numbers, and another at Target yielded credit card data of 40 million Target customers and the personal information for an additional 70 million customers. In January, insurance provider Anthem revealed that hackers had broken into its computer systems and potentially accessed the personal data of 80 million people, including their names, emails, passwords and Social Security numbers. Such information makes Anthem's customers vulnerable to identity theft for the rest of their lives.

The increase in cyberattacks against US businesses and organizations has forced the Obama administration to grapple with the best way to deal with massive data leaks and thefts. Obama has earmarked $14 billion in the 2016 budget proposal to beef up US efforts against such attacks. Last month, the Obama administration announced the creation of a new government agency, the Cyber Threat Intelligence Integration Center, that will fuse information from various intelligence-gathering services to thwart cyberattacks in much the same fashion as government counterterrorism task forces.