The Cybersecurity Information Sharing Act of 2014 is going to be marked up today by the Senate Intelligence Committee. The leading co-sponsors of the bill, Senator Dianne Feinstein (D-CA) and Senator Saxby Chambliss (R-GA) are the Chair and Vice-Chair of the Senate Intelligence Committee. As with most Intelligence Committee mark ups, this one will be held secretly, thus depriving the public of much information about the matters the Committee considered. The Committee also held a June 19, 2014 hearing on the bill that was conducted secretly. However, to its credit, Committee staff released a discussion draft of the bill in April, and a subsequent discussion draft in June, enabling public comment.
As compared to the Cybersecurity Act the Senate considered in July 2012, the bill would dismantle many hard-fought privacy protections that had improved that legislation as it moved to the Senate floor. Indeed, the bill seems to disregard the revelations about surveillance conducted by the National Security Agency and includes no new civil liberties protections responsive to those disclosures. In short, the bill:
- Fails to address recently disclosed cybersecurity-related conduct of the NSA, some of which undermines cybersecurity;
- Requires that any cyber threat indicators a company shares with many federal agencies will be immediately shared with multiple other federal agencies, including elements of the Department of Defense, which includes the NSA, thereby discouraging the very information sharing it would be enacted to permit;
- Risks turning the cybersecurity program it creates into a back door wiretap by authorizing use of cyber threat indicators for overly broad law enforcement purposes;
- Does not effectively require that personally identifiable information irrelevant to a cyber threat indicator be removed before information about the threat indicator is shared; and
- Authorizes broadly defined cybersecurity countermeasures and provides a good faith defense against claims that a countermeasure unlawfully damaged a network or stored information, encouraging reckless conduct that runs counter to the cybersecurity purpose of the bill.