WASHINGTON — The Senate passed a cyber security bill on Tuesday designed to facilitate more information sharing on cyber threats and attacks between businesses and the federal government in the wake of a series of massive data breaches that have hit such retailers as Target, Neiman Marcus and Home Depot, as well as government agencies.
The bill, which passed on a vote of 74 to 21, encourages businesses to share more information with the government when their systems are breached by hackers, which often leads to personal and financial consumer data being compromised.
Retail groups lauded passage of the bill.
“Today was a win for retailers and those committed to stepping up the fight against overseas hackers and cyber thieves targeting American businesses and our customers,” said Nicholas Ahrens, vice president of privacy and cyber security at the Retail Industry Leaders Association. “Cyber attacks are not going away; in fact, hackers are only growing more sophisticated in their ability to attack businesses, institutions and governments.”
“Common-sense legislation that gives businesses the tools and legal protections needed to share cyber-threat indicators is a step in the right direction to thwart future attacks,” he added. “We urge Congress to finish the job and get this legislation to the President’s desk as quickly as possible.”
The legislation in the Senate, dubbed the Cybersecurity Information Sharing Act, was the culmination of more than six years of legislative work and its lead cosponsors Sens. Richard Burr (R, N.C.) and Dianne Feinstein (D., Calif.) said they worked hard to strike a balance between consumer privacy protections and the need for what they said is more public-private information sharing to help thwart hackers and cyber criminals.
“We’re in the final stretch of actually getting legislation into law that would voluntarily allow companies to partner with the federal government when their systems have been breached, when personal data is at risk,” Burr said in advance of the vote.
“This bill will allow companies and the government to share information voluntarily about cyber threats and the defensive measure they might be able to implement to protect their networks,” Feinstein said. “Right now the same cyber intrusions are used again and again to penetrate different targets. That shouldn’t happen. If someone sees a particular virus or harmful cyber signature, they should tell others so they can protect themselves. That’s what this bill does — it clears away the uncertainty and the concerns that keep companies from sharing this information.
“It provides that two competitors in a market can share information on cyber threats with each without facing antitrust suits,” she continued. “It provides that companies sharing cyber-threat information with the government for cyber-security purposes will have liability protection. The bill is completely voluntary. If a company doesn’t want to share information; it does not have to.”
Burr acknowledged that several companies oppose the bill but he said they can opt not to participate with the federal government. The proponents of the bill had to overcome mounting opposition from digital rights groups, technology companies and privacy protection advocates who tried to block it, arguing that it would place too much private data in the hands of the government.
“Nobody is mandating to do it,” Burr said. “You might not like the legislation but, for goodness sakes, do not deprive every other business in America from having the opportunity to have this partnership. Do not deprive the other companies in this country from trying to minimize the amount of personal data that’s lost because there has been a cyber attack.”
The bill also establishes a “portal” at the Department of Homeland Security as the primary government agency to accept cyber-threat indicators and defensive measures. On the privacy protection side it seeks to limit the amount of information that may be shared with the government and requires the removal of personal information in the shared data.
“Over the past 10 months, we have tried to thread a needle in fact to draft a bill as I said gives the private sector the assurances it needs to share more information, while including privacy protections to make sure that Americans’ information is not compromised,” Feinstein said.
The bill will next head to a conference committee, where lawmakers hope to reconcile the Senate bill with two House cyber-security bills that passed earlier this year. The White House endorsed the Senate bill on Thursday.
In a recent report, PricewaterhouseCoopers revealed that the number of cyber attacks jumped 48 percent in 2014, as previously reported. Another report by the Ponemon Institute said the average cost of a “cyber crime” on U.S. retailers doubled to $8.6 million per company from 2013 to 2014. And a joint report released by Hewlett-Packard Enterprise Security and the Ponemon Institute, showed that the bulk of the average costs stem from information loss (about 38 percent) and business disruption (39 percent).
Those alarming numbers added to the growing pressure on Congress to take steps to counter intensifying cyber attacks on U.S. businesses and the government.
RILA and the National Retail Federation were part of a coalition supporting CISA but also calling for an expansion of liability protection. The legislation only affords liability protection to companies when they share threat information with the Department of Homeland Security. The coalition pressed senators to expand that protection when they share information with the FBI and Secret Service but an amendment stipulating that expansion failed to pass.