The Republican Senate Intelligence Committee chairman sees the information-sharing legislation as the best move the government can make — aside from taking offensive measures — to scuttle, or at least minimize, losses from cyberattacks such as recent high-profile breaches of Sony Pictures, Target and Home Depot.
The Intelligence Committee passed the proposal with bipartisan support on a 14-1 vote in March. This past weekend, the committee released a report that offers background on the bill and some commentary from senators on the panel. That document has further raised concerns among privacy groups that the proposal, as well as two similar ones in the House of Representatives, wouldn’t do enough to rein in domestic spying. Others say the legislation doesn’t go far enough to prevent attacks.
“This is happening every day,” Burr said in an interview. “Having nation-states who are trying to wreck an economy … that’s a new phenomenon.”
The legislation, which is expected to pass the Senate, would encourage businesses to share information about cyberattacks with the government in exchange for assurances they’ll be protected from lawsuits and antitrust actions.
Last year’s proposal failed to gain enough ground in the Senate because of concerns that private information could be mistakenly shared and misused by the government.
Some recent cyberattacks, which include reports of Russian hackers penetrating White House computers, have intensified the push for greater protections. The FBI now considers cyberspace a top priority, and President Barack Obama’s proposed 2016 budget seeks $14 billion for cybersecurity efforts, a $1.5 billion increase from this year’s spending.
Earlier this month, Burr delivered the Republicans’ weekly address, which he used to promote the legislation. He described the plan as a “neighborhood watch program” that allows those who choose to be involved to get a better understanding of cybersecurity threats.
The measure would allow the government to warn other relevant businesses that they may also be targeted and to quickly study how breaches were exposed and provide technology fixes to block future attacks, he said.
“Cybercriminals and our foreign adversaries are probing our computer systems and stealing our data,” Burr said in the address.
Civil liberties groups, such as the ACLU, contend that the Senate proposal and the two offered in the House go beyond cyberprotections and could be used to justify further surveillance of private citizens.
“It’s a recipe for chaos,” said Gregory Nojeim, senior counsel at the Center for Democracy & Technology, a Washington-based nonprofit organization that studies privacy and data issues.
It’s not just civil liberties groups that are worried, said Nojeim, who pointed to the committee’s own report detailing how some members shared reservations with privacy groups.
Sens. Martin Heinrich, D-N.M., and Mazie Hirono, D-Hawaii, who voted for the proposal, said it would allow the private sector to more effectively defend its networks. But they added that they continued to “harbor concerns” about provisions that they said don’t adequately protect personal information from being shared.
“The bill also lacks a directive that the Department of Homeland Security scrub cyberthreat indicators for unnecessary personally identifiably information before sharing that information with other areas of the federal government,” they wrote.
Heinrich and Hirono also questioned why the legislation provides a new exemption to the Freedom of Information Act through the bill, which they called “overbroad and unnecessary,” considering that the types of information shared with the government would already be exempt under current FOIA rules.
Burr and Sen. Dianne Feinstein of California, the panel’s top Democrat, say such concerns are unfounded. In a statement, Feinstein pushed back against what she described as misinformation about the proposal.
“Let me be clear: The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats — NOT personal information — in order to better defend against attacks,” she said. “This bill includes more than a dozen significant changes from last year’s version.”
Burr said the bill would require companies to remove private data before sharing anything with the government. No company would be allowed to share data unless it’s directly related to the cyberattack. He said he had received overwhelming support from the business community, including Charlotte, N.C.-based Bank of America and Duke Energy.
“The privacy folks, ACLU, the rest of them: They want the status quo,” Burr said. “I think anyone in business today would tell you that the status quo is a disaster. … I haven’t found a company yet in America that is not supportive of what we’re doing.”
©2015 McClatchy Washington Bureau. Distributed by Tribune Content Agency, LLC