Information sharing legislation would give companies partial legal immunity from prosecution.
The National Defense Authorization Act for 2016, currently awaiting action in the Senate, addresses acquisition reform and a number of other issues while providing the Defense Department funding for the next fiscal year. But it won’t cover the sharing of cybersecurity information between industry and government.
Controversial cybersecurity legislation had been attached to the authorization bill, before Senate Democrats, with the help of a few Republicans, blocked the legislation from being attached to the NDAA.
The Cybersecurity Information Sharing Act would give technology companies partial legal immunity from prosecution if they share information about their customers with government spy agencies for national security and cybersecurity purposes.
The measure, which proponents would get industry to share information about breaches more quickly, has drawn has drawn corporate backing, while privacy advocates painted the proposal as a renewed license to spy on Americans. Opponents say it would restore the domestic surveillance abilities that were removed by the recent reforms to the Patriot Act.
The cyber legislation was introduced this week, on the heels of last week's suspected Chinese hack of U.S. government personnel records maintained by the U.S. Office of Personnel Management (OPM).
Security experts said this week they suspect Beijing is sweeping up data on Chinese citizens living in the U.S. to determine their contacts with U.S. officials, as well as information on the workings of the U.S. government. The hacks, including an earlier hack of OPM databases from 2014, also appear to have targeted personnel with security clearances who must report contacts with foreign nationals. That data was thought to be readily accessible once hackers gained access to OPM's database.
Moreover, the breach appeared to be so sophisticated that encrypting the personnel data may not have prevented the breach, security experts said.
Supporters of the cyber legislation in the financial services industry cited a wave of high-profile cyber attacks as justification for greater sharing of threat data among businesses and government agencies. "With daily stories of more and worsening cyber attacks, we need a team America approach to better combat the threats,” Tim Pawlenty, president and CEO of Financial Services Roundtable, said in a statement. "We urge the Senate to protect consumers and vote in support of this amendment to move [the cyber legislation] forward."
The bill would direct the Justice Department to develop privacy guidelines to limit the use and retention of personal information on individuals.
The fiscal 2016 NDAA was still pending on the Senate floor as of June 12. The spending bill was approved in the House with similar information-sharing amendments in May, with one provision focusing on how military contractors share information on cyber threats with government agencies.
Democrats had said that attaching CISA to NDAA would have prevented them from adding privacy protections to the bill. Republicans reportedly say they currently have to backup plans for moving CISA forward.
NEXT STORY: How might the US respond to cyber attacks?