Hacks clear path for US cyber bill
October 20, 2015 5:04 pm
Hacks clear path for US cyber bill
By Gina Chon in Washington
After a year of high-profile hacks on companies and the US government, the business lobby has its best chance of prevailing against privacy advocates and convincing the US Congress to approve a cyber information sharing bill, which supporters claim would help prevent breaches.
Similar bills that would allow companies to share information with the government about cyber threats, and protect them from privacy or antitrust liabilities when doing so, have failed in the past five years amid opposition from privacy and civil liberty advocates.
Their case was strengthened after Edward Snowden leaked information in 2013 about a US surveillance program run by the National Security Agency, creating suspicion about sharing information with the government. In backing privacy advocates, the White House also threatened to veto cyber information sharing bills.
But since data for 185m people was stolen in alarming breaches at insurer Anthem, JPMorgan Chase and the human resources arm of the US government, defending against hacks has begun to take priority over privacy concerns. Organised crime and state-sponsored hacks by China and Russia pose some of the most serious cyber threats, according to US officials.
After months of arguments between the bill’s supporters and critics, the Republican-controlled Senate could take up the bipartisan cyber information sharing bill as early as Tuesday. The bill, which would also need to be approved by the House of Representatives, has the best chance of passing in years and is now backed by the White House.
The US Chamber of Commerce, Wall Street lobbying groups, the American Petroleum Institute representing oil companies and other groups have argued that such a bill is needed to protect them from lawsuits when they share information with the government about cyber threats.
“We need a team America approach to taking on cyber criminals and this bill will help us do that,” said Tim Pawlenty, president of the Financial Services Roundtable. “Without a team approach, the personal information of consumers is more at risk and we urge political leaders to collaborate and get this crucial bill over the finish line.”
The roundtable, which includes Citigroup, BlackRock and Visa as its members, launched an advertising campaign on Monday to push for passage of the bill.
On the other side have been privacy advocates, civil liberty groups, and tech companies like those in the Computer & Communications Industry Association, whose members include Google and Facebook.
“[The bill’s] prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government,” the association said.
The bill’s cosponsors, Republican Richard Burr and Democrat Dianne Feinstein of the Senate Intelligence Committee, have made some compromises to appease the privacy advocates. For example, the bill provides liability protection only in cases when information is shared with the Department of Homeland Security, a civilian agency.
[The bill’s] prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government
- Computer & Communications Industry Association
Protection would not be provided in cases where companies share information with military or intelligence agencies, such as the NSA or the Defence department. But privacy advocates wanted businesses to share information only with DHS in all cases.
Threat information could only be shared for “cyber security purposes,” while a provision allowing the government to use the information to investigate violent felonies was eliminated.
Privacy and civil liberty groups also oppose the bill’s provision that allows for defensive measures against breaches, which they say could be interpreted to mean hacking back and could cause harm to what could be innocent third parties.
Retaliatory hacking is illegal and is discouraged by law enforcement officials, partly because of the difficulty in attributing the source of a cyber attack.
The bill’s proponents argue that the bill only allows for defence and prohibits offensive moves. Defensive measures do not include actions that “destroys, renders unusable, [provides unauthorised access to] or substantially harms” a third party network, according to the bill.
Copyright The Financial Times Limited 2015.