The Senate Intelligence Committee has approved the Cybersecurity Information Sharing Act, S-754, to encourage the private sector to share cyber threat information through a DHS interface or by mail, and offering liability protections to companies when they submit data.
The bill has raised strong privacy concerns for allowing companies to share any information deemed to be a “cyber threat indicator” and that once submitted to DHS via a portal designed for that purpose, would automatically be shared with the NSA and DoD, including personal information if it’s threat-related.
Advocates of the bill – including Intelligence Committee Chair Richard Burr, R-NC, and Dianne Feinstein, D-CA, say that by adopting 12 of 15 privacy recommendations they have addressed privacy concerns. For example, modifications to the bill would only allow information sharing related to cyber threats, only allow the information to be used for that purpose, and would authorize only defensive actions to be taken on that information. (The chair of the Senate Homeland Security and Government Affairs Committee, Tom Carper, D-Del, introduced a similar bill this year without authorizing defensive counter measures.)
S-754 also would require companies to remove personal information prior to sharing it (unless the personal information is related to the threat), and to get customers to consent to information sharing or network monitoring as a condition of submitting data.
Critics of the bill maintain that the definition of what could be shared and how it could be used remain overly broad and merely amount to an expansion of the government’s surveillance powers and that the information security value of data submitted this way is questionable.