Senate Bill Pushes Sharing of Sensitive Cyber Threat Data Between Government and Companies
Sen. Thomas Carper’s bill seeks to cajole the private sector into increased information-sharing with the government by offering liability protection.
A lone Democrat on Wednesday will introduce cybersecurity legislation that seeks to increase the sharing of sensitive data between government and the private sector, a push that comes on the heels of President Obama's vocal campaign for such a proposal.
The bill from Sen. Thomas Carper, the top Democrat on the Senate Homeland Security Committee, arrives as hacks on major businesses and financial institutions continue to dominate headlines, and just a week after Anthem insurance announced that account information of as many as 80 million customers had been pilfered.
By expanding legal protections to sharing some customer information, Carper's bill would create a friendlier atmosphere for companies to swap certain types of computer data with each other and the government—a schematic intended to thwart potential cyberthreats and identify security flaws.
The measure adheres closely to the recommendations laid out in a White House legislative proposal released last month. But it has incorporated additional feedback from privacy advocates, according to a one-page explainer from Carper's office.
The legislation would allow companies to voluntarily share "cyber threat indicators" with the National Cybersecurity and Communications Integration Center, a data hub housed within the Department of Homeland Security. It would require that such data be shared with other federal agencies in "as close to real time as practicable" and that it would be protected from disclosure under the Freedom of Information Act, according to the explainer.
To persuade companies to buy into the system, the bill would provide assurances that the sharing of indicators—which could include things like IP addresses, routing information, and date and time stamps deemed important to identifying potential cyberthreats or security vulnerabilities—would be exempt from legal or regulatory punishment.
"Today, those seeking to do us harm do not need to travel thousands of miles to carry out an attack," Carper said in a statement. "They can disrupt our lives and cause great damage with just a few keystrokes at a computer."
In January, Obama spent the week leading up to his State of the Union address trotting out various data-security proposals—a rapid-fire rollout that administration officials have said was spurred on by last year's "game-changer" hack on Sony Pictures.
But Obama's information-sharing proposal met quick resistance from privacy advocates, who warned that giving the government wider latitude to access the personal data of Americans could bolster spying operations carried out by the National Security Agency and other departments.
It's a concern that has helped torpedo previous attempts to pass information-sharing legislation. Last year, the Cybersecurity Information Sharing Act cleared the Senate Intelligence Committee before stalling amid opposition from groups like the American Civil Liberties Union and Electronic Frontier Foundation.
Senate Intelligence Committee Chairman Richard Burr on Wednesday indicated that his panel would seek to revive its information-sharing bill soon, noting that Carper "introduced the president's bill."
"I think the committee will report a bill out at some point," Burr added. "I dare say it will be the committee's bill, not the president's bill."
Sen. Dianne Feinstein, the panel's top Democrat, echoed Burr's desire to continue negotiating its own language on cybersecurity.
"We have worked on [information-sharing] for four years," Feinstein said. "We wanted to get agreement between the chairman and myself, and now we'll submit it to our members so they can look at it over the break and hopefully mark it up when we come back."
"I don't know if [the president] supports it, but I don't think he'd want to veto it," she added.
Privacy groups generally considered Obama's proposal—now adopted by Carper—an improvement over the bill pushed last year by Senate Intelligence. But the package continues to face skepticism over definitions and what private data companies would be required to scrub before sharing it with the government and other businesses.
In a bid to assuage those concerns, Carper's bill would require transparency reports detailing the bill's implementation to "ensure accountability in the sharing of cyber threat indicators," according to his office's explainer. It also includes a five-year sunset to prompt Congress to revisit the law's effectiveness and protection of civil liberties.
But several obstacles remain to Congress passing the bill—not least of which is the lack of cosponsors on Carper's offering. Questions remain about precisely what scope of legal liability should be afforded to companies that engage in information-sharing, and how much responsibility those companies have to protect private customer data.
An aide to the Delaware Democrat, however, noted that he had been in discussions about the bill with other senators, including Homeland Security Chairman Ron Johnson, who has shown interest in moving quickly on cybersecurity.
The bill's introduction comes just a day after the administration announced the creation of a new$35 million data-fusion center that is intended to coordinate and manage cyber data across the government's disparate intelligence-gathering agencies, such as the FBI and CIA. And on Friday, the White House is convening a first-of-its-kind cyber summit at Stanford University, where Obama is scheduled to speak.
Brendan Sasso contributed to this article.