The fight for cybersecurity legislation may have just entered into a new round.
In the wake of the failure of the Cyber Intelligence Sharing and Protection Act (CISPA), the Senate Intelligence Committee has offered up the Cybersecurity Information Sharing Act of 2014.
In a joint statement, Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.) and Vice Chairman Saxby Chambliss (R-Ga.) announced the draft version of the bill offers liability protection to facilitate the sharing of intelligence.
“We have worked together for months to draft a bill that allows companies to monitor their computer networks for cyber attacks, promotes sharing of cyber threat information and provides liability protection for companies who share that information,” according to the statement. “After reaching agreement on draft legislation, we circulated that draft bill language to relevant parties in the executive branch, private industry and the privacy community for comment. Once those comments are returned, which we hope will happen quickly, we will consider the final legislation.”
Attempts to create legislation addressing the sharing of cyber intelligence have been an uphill climb in recent years. This latest bill comes after the Senate declined to support the CISPA last year despite the bill’s passage in the House.
The draft bill allows for the sharing of cyber threat indicators, defined as anything that describes or is necessary to identify malicious reconnaissance, security vulnerabilities and malicious cyber command and control. In addition, the draft allows for the sharing of information about how security controls to be circumvented and the actual or potential harm caused by an incident – including information exfiltrated when it is necessary in order to describe the threat.
“This is definitely a step back,” said Gabe Rottman, legislative counsel and policy adviser for the American Civil Liberties Union, reportedly told the Washington Post after being shown a copy of the draft. “The problem is the definitions of what can be shared and who it can be shared with are too broad. In this draft, companies can share data with the military and the NSA. Given the past revelations, I think it’s important to keep this information in civilian hands.”
A draft of the bill can be read here.
The Federal Trade Commission and the Department of Justice issued a policy statement earlier this month on the sharing of cybersecurity information in an attempt to ease potential concerns about antitrust issues.
“The Department of Justice is committed to doing all it can to protect the security of our nation’s networks,” said Deputy Attorney General James M. Cole, in a statement April 10. “Through the FBI and the National Security and Criminal Divisions, the department plays a critical role in preventing and prosecuting cybercrime. “Private parties play a critical role in mitigating and responding to cyber threats, and this policy statement should encourage them to share cybersecurity information.”
Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Draft Cybersecurity Legislation on Information Sharing Circulates Vishing Scheme Targets Payment Cards of Bank Customers in U.S. NTP Attacks Increase DDoS Attack Size: Arbor NetworksCompany Leaders Misjudge Impact of Data Loss on Revenues: ResearchSiemens Patching Industrial Products Affected by Heartbleed