Outlook for Cybersecurity Information Sharing Act Markup Seen as Unclear
The Senate Intelligence Committee is set to mark up the Cybersecurity Information Sharing Act (CISA) Thursday, but expectations about the result of that markup remain unclear even after months of behind-the-scenes revisions. The markup, closed to the public, is set to begin at 2:30 p.m. in Hart 219.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The dynamics of support for and opposition to CISA remain virtually the same as they did more than a month ago (CD May 15 p11). Industry executives told us this week they still support much of the bill’s language, while privacy advocates said they remain concerned the bill’s privacy provisions do not sufficiently protect against potential abuses of expanded information sharing. Those privacy provisions continue to be the linchpin of the bill’s future success or failure in the Senate because of continued concerns about the NSA’s surveillance programs, said Norma Krayem, a policy advisor at Squire Patton. Senate Intelligence had included in CISA privacy protections it viewed as being an improvement over those included in the House-passed Cyber Intelligence Sharing and Protection Act (HR-624).
CISA has a “good chance” of clearing the Senate Intelligence markup, particularly given that committee Chairwoman Dianne Feinstein, D-Calif., and Vice Chairman Saxby Chambliss, R-Ga., are the bill’s co-authors, but getting the bill to the Senate floor will be “more problematic,” said Internet Security Alliance President Larry Clinton. There is only a short period remaining before the midterm election campaign virtually halts legislative work, complicating CISA’s post-markup prospects, he said. “There’s still enough time to do this, but there’s certainly no time to waste.”
Concerns about privacy protections have been the main reason it’s taken so long for CISA to even make it to markup, Clinton said, adding that he’s hopeful both sides can reach an agreement that will “allow the broader picture to move forward.” ISA has traditionally not taken a position on privacy issues within the cybersecurity realm, but “it’s very important to remember that the leading threat to personal privacy” is from cyberattacks, he said.
Privacy advocates said they believe CISA’s privacy protections haven’t improved, citing a revised draft of the bill that Feinstein released last week (CD June 18 p14). The privacy protections in that version of CISA have “gotten worse,” said Mark Jaycox, an Electronic Frontier Foundation policy analyst. He cited CISA’s “broad” liability protections as one problematic provision in the bill. The privacy provisions in CISA are also a “huge step backward” from what was included in previous Senate cybersecurity bills, including the failed Cybersecurity Act of 2012, and fails to adequately account for information gleaned through leaks about the NSA programs, Jaycox said. The New America Foundation also believes CISA is a “major step back” from the Cybersecurity Act of 2012 and other bills, said Robyn Greene, policy council for NAF’s Open Technology Institute.
NAF believes Senate Intelligence needs to “narrowly tailor” CISA’s information sharing authorizations, which at present are overly broad and don’t adequately restrict sharing to cyberthreat indicators, Greene said. NAF also wants a revision to CISA making a civilian agency the portal for receiving cyberthreat information from the private sector instead of the Department of Homeland Security (DHS), she said. NAF faults placing control with DHS because the bill allows all federal agencies -- including the NSA -- to have access to the information, Greene said. A civilian agency would be able to restrict dissemination to military or intelligence agencies to situations involving significant threats, she said. NAF also faults CISA for requiring entities to only strip out personally identifiable information (PII) from cyberthreat information if the entity “knows” the PII belongs to someone from the U.S., Greene said.
Bob Dix, Juniper Networks vice president-government affairs and critical infrastructure protection, said he expects CISA to clear Senate Intelligence, but will reserve his forecast for the bill’s future prospects until he sees what’s in the bill post-markup. Revisions to CISA have “moved the needle a little bit,” but potential amendments to the bill will affect whether it remains an effective bill, Dix said. Juniper believes Senate Intelligence needs to balance CISA’s information sharing provisions, because it still emphasizes increasing private sector information sharing with the government at the expense of government sharing with the private sector, he said.