Senate panel advances cybersecurity bill

By Arthur Postal on July 11, 2014

Seal_of_the_United_States_Senate200x200Legislation approved by a Senate committee this week would give US officials strong authority to combat computer espionage and theft of valuable commercial data.

The “Cybersecurity Information Sharing Act” reported out by the Senate Intelligence Committee in closed session would require the director of national intelligence to increase the sharing of classified and unclassified cyber threat information to the private sector, consistent with the protection of sources and methods.

Sponsored by Sens. Dianne Feinstein, D-Calif., and Saxby Chambliss, R-Ga., chairman and ranking minority member, respectively, of the committee, the bill would also offer liability protections to companies that appropriately monitor their networks or share cyber threat data and limit the government’s ability to use data it receives.

The measure must be approved by the full Senate and reconciled with similar legislation that passed the House of Representatives in April.

Democratic senators Ron Wyden of Oregon and Mark Udall of Colorado, members of the intelligence committee, said they opposed the bill because they felt it did not include sufficient privacy protections.

But there are signs the Intelligence Committee bill has bipartisan support in the House. The Republican chairman and top Democrat on the House Intelligence Committee issued a statement on Tuesday backing the measure and urging the full Senate to vote quickly.

“We are confident that the House and the Senate will quickly come together to address this urgent threat and craft a final bill that secures our networks and protects privacy and civil liberties,” Reps. Mike Rogers, R-Mich., and Dutch Ruppersberger, D-Md., said in a statement.

It is the second dealing with cyber risk introduced in the Senate this year. Legislation was introduced in May by Sen. Carl Levin, D-Mich., with bipartisan support, that would give US officials strong authority to combat computer espionage and theft of valuable commercial data.

According to the Insurance Information Institute, Congress is proposing legislation because of a rising number of high profile mega data breaches—most recently at eBay, Target and Neiman Marcus. A new III white paper says the result is stepped-up government scrutiny of cyber security and increased calls for legislation and regulation, “placing the burden on companies to demonstrate that the information provided by customers and clients is properly safeguarded online.”

The earlier Senate bill, Deter Cyber Theft Act of 2014, S. 2384, updates legislation introduced last year with the intent of taking  aggressive new steps against computer espionage and theft of valuable commercial data.

The Cybersecurity Information Sharing Act does the following:

  • Requires companies sharing cyber information to remove personally identifying information from cyber threat information before sharing.
  • Requires the attorney general to write procedures to limit the government’s use of cyber information to appropriate cyber purposes, and to ensure privacy protections are in place.
  • Mandates that information shared with the federal government through real-time information-sharing mechanisms or other electronic methods must be provided to the Department of Homeland Security in order to receive liability protection. That information is to be shared immediately with other relevant federal departments.
  • Requires reports by the Privacy and Civil Liberties Oversight Board and relevant federal inspectors general, and by agency heads, on the use of authorities and protections under this bill.
  • Authorizes and provides liability protection for companies to monitor their networks.
  • Directs the federal government to share information with the private sector at the classified and unclassified levels, consistent with protections of sources and methods.

“Clearly, given that there is bipartisan support for cyber-related action, and there is also support within the Obama administration for legislation, this issue will be with us for a long time, regardless of whether there will be action this year,” Robert P.Hartwig, president and economist for III, said.

In 2013 more than 600 organizations across the business, financial, educational, government and healthcare sectors, publicly disclosed data breaches that exposed nearly 92 million records, according to the Identity Theft Resource Center. This year, ITRC said there have been 381 breaches as of July 1.

“Yet despite the large number of reported breaches, the actual number of breaches and exposed records is without a doubt much higher as many, if not most, attacks go unreported,” III said.

Interestingly, the III paper said that cyber risk moved into the top 10 global business risks in 2014, according to the third annual Allianz Risk Barometer Survey, climbing up to rank 8 from 15 in last year’s survey.

READ THE FULL STORY

This story in an excerpt of the original. The content originally appeared in Cyber Front Page News.
To read the full story, you must be a subscriber. If you are a subscriber, check your email for Cyber Front Page News on July 11, 2014.

Arthur D. Postal is a veteran reporter covering Washington, D.C. and federal insurance regulation, with more than 30 years of experience in financial journalism.