Congress is expected to take full advantage of National Cybersecurity Awareness Month with a renewed push to pass the Cybersecurity Information Sharing Act (CISA) later in October — a bill the tech industry and Senate Intelligence Committee leadership say is needed more than ever after the recent Experian hack.
After news of the hack against Experian broke ahead of the weekend, Senate Intelligence Committee Chairman Richard Burr and Vice Chairman Dianne Feinstein issued a statement lamenting the “months [they] have been trying to pass important, balanced legislation to help companies get the information they need to stop losses” like “the latest major breach of personal information through a cyber hack, with 15 million people’s private information stolen from T-Mobile and Experian.”
During a hearing last week Burr assured the committee he intended to renew his push to bring CISA to the floor in October. Now, with the threat of a government shutdown passed, it looks likely the bill, already supported by Senate Majority Leader Mitch McConnell, could come to the floor after the Senate returns from a week-long break on Oct. 19.
“Despite strong bipartisan support in the committee and the Senate, and support from the administration and the business community, there are some groups that are opposing the bill out of a knee-jerk reaction against any communication between the government and industry,” the lawmakers wrote. “If these special interest groups are successful in mischaracterizing this bill, which authorizes purely voluntary sharing, they will only succeed in allowing more personal information to be compromised to criminals and foreign countries.”
One such group, the pro-privacy coalition Fight for the Future, staked out the opposite stance over the weekend, and even called on Experian CEO Brian Cassin to resign over Experian’s support for the bill, which they argue would make users’ personal data more vulnerable to hackers and susceptible to government surveillance.
“Under Cassin’s leadership, Experian has spent millions of dollars lobbying Congress through cash donations and political action committees,” the group said in a statement. “Their top recipients in the House of Representatives all voted in favor of PCNA, a spying bill that would allow them to share customer information with the government. And now they’re supporting CISA, a bill that could broadly allow them to violate their privacy agreements with customers and get immunity for leaking peoples’ information.”
Fight the Future and its allies, many of whom flooded the upper chamber with six million faxes in July opposing the bill, previously described CISA as a “surveillance bill masquerading as a cybersecurity bill” over provisions allowing private companies to share “cyber threat indicators” with the government without removing unrelated user data, including IP addresses, emails and passwords.
Burr and Feinstein, the bill’s chief sponsors, argue compliance with CISA is “entirely voluntary.” The House passed similar companion bills earlier this year, including the Protecting Cyber Networks Act, which allows private companies to similarly share user information with government agencies. Should the Senate pass CISA, the chambers would proceed to conference on the bills.
“Experian should have used basic security practices to protect our data; they didn’t,” Fight for the Future wrote. “Now, 15 million T-Mobile customers’ sensitive information has been stolen by identity thieves. And this isn’t the first time.”
According to the group, Experian has suffered breaches more than 100 times, “[b]ut instead of improving their security, Experian is spending millions lobbying Congress to pass CISA, a bill that could give them total legal immunity when they get hacked, as long as they share your personal information with the government.”
The Protecting America’s Cyber Networks Coalition, a tech industry group supporting CISA, released a “myth v. fact” statement discussing the bill in August. According to the group, CISA “calls for public and private entities” to remove unrelated personal data before reporting cyber threat indicators to the government.
It also takes issue with the claim the bill permits so-called “hack-backs,” or retaliatory cyberattacks by victims of cyber intrusions.
“CISA does not permit so-called hacking back,” the group wrote. “[C]ompanies are not permitted to destroy or render computer systems unusable. The bill ensures that defensive measures are properly confined to a business’ own networks or to those of its customers.”
The issue came before the Senate Intelligence Committee last week, where lawmakers asked National Security Agency Director Mike Rogers for his opinion on the tactic.
Rogers warned companies and agencies should be “very careful about going down this road,” and Deputy Secretary of Defense Robert Work added such defensive countermeasures could spark a “second, third and fourth order of [unanticipated] effects.”
Before leaving for the August recess, Republicans and Democrats agreed to consider 22 amendments to the bill should it come to the floor, several of which could be combined into a manager’s amendment by Burr and Feinstein to save time.