Senate panel begins crafting cybersecurity bill
WASHINGTON — A key Senate panel took the first step Wednesday toward crafting legislation to give businesses greater incentives to share information about cyber threats with the federal government.
The Senate Homeland Security and Governmental Affairs Committee asked corporate leaders and civil liberties experts how best to write a bill that would boost information-sharing while still protecting consumers’ personal data.
“One of our missions for this Congress is to address the cybersecurity threat,” said the committee’s new chairman, Sen. Ron Johnson, R-Wis.
Lawmakers appear to be moving quickly to take up a bill in the new Congress as President Obama and a coalition of tech and business groups push for action in the wake of the high-profile hack of Sony Pictures in November. In addition to Wednesday’s Senate hearing, House committees held two hearings on cybersecurity issues Tuesday.
The U.S. Chamber of Commerce, American Bankers Association, Telecommunications Industry Association and about 20 other business groups sent a letter to Senate leaders this week calling on them to pass an information-sharing bill as quickly as possible.
“Cyberattacks aimed at U.S. businesses and government entities are being launched from various sources, including sophisticated hackers, organized crime, and state-sponsored groups,” the letter reads. “These attacks are advancing in scope and complexity … congressional action cannot come soon enough.”
Johnson cited a recent study by the Center for Strategic and International Studies that estimated the total economic loss of cyber-attacks are as high as $100 billion a year. A separate study commissioned by HP Enterprise Security estimated the mean annualized cost of cybercrimes in the USA to be $12.7 million per company.
Sen. Tom Carper of Delaware, the senior Democrat on the Homeland Security panel, said he is anxious to work with Johnson, the Senate Intelligence Committee and the White House to move bipartisan information-sharing legislation.
An information-sharing bill would encourage companies to share information with the government — most likely the Department of Homeland Security — so that federal law enforcement officials can help stop and catch cyber criminals. A bill would give companies protection from lawsuits for sharing information with federal agencies and with one another.
“Often times, legal ambiguities make companies think twice about sharing cyber threat information with the government or their peers,” Carper said. “In some cases, companies are uncertain about what they can do to defend their own networks. Legislation can fix these problems.”
Johnson asked the five witnesses at Wednesday’s hearing what the biggest obstacle would be in passing a bill. All of them cited ongoing privacy concerns by Americans in the wake of the 2013 revelations by former National Security Agency contractor Edward Snowden about the NSA’s mass collection of data from Americans’ phone records.
“There is a deficit of trust in the security community,” said Richard Bejtlich, chief security strategist for FireEye, which provides software to companies to stop hackers and help companies recover from cyber attacks.
Gregory Nojeim, of the non-profit Center for Democracy and Technology, said any bill must require companies to take reasonable steps to remove consumers’ personally identifiable information — data that is not related to the cyber threat — before it is is shared with the government. He said DHS should do the same before it shares the data with any other federal agencies such as NSA.
“Quite simply, the American public should not — and need not — be forced to choose between being hacked by cyber criminals and being snooped on by the government,” Nojeim said.