By Caleb Skeath

Earlier this week, the Senate Committee on Homeland Security and Governmental Affairs held its first hearing of the new Congress, entitled “Protecting America from Cyber Attacks: The Importance of Information Sharing.”  The hearing focused in large part on the White House’s recent information sharing proposal, which would protect private entities from civil and criminal liability for sharing information with the government and designated private information sharing and analysis organizations (ISAOs).

Sen. Ron Johnson (R-WI), Chairman of the Committee, noted that he was “encouraged” by the renewed prospect of passing an information-sharing bill but cautioned that the Senate Intelligence Committee may also seek to weigh in on the issue.  Sen. Tom Carper (D-DE), the ranking member of the Committee, said that the administration’s proposal is “not perfect” but contains “constructive proposals that will help us continue the conversation on this issue.”  Sen. Carper, who has pledged to introduce a bill based on the White House’s proposal, told reporters afterwards that action on an information sharing bill could occur “very soon” and Congress will be “much more involved this year” on cybersecurity issues.

Several of the Committee’s members expressed concern over the privacy implications of allowing private entities to share cyber threat information with the federal government, and the panel members agreed that privacy concerns would be the biggest obstacle to passing an information-sharing bill.  Sen. Cory Booker (D-NJ) questioned whether information sharing legislation could create “another level of government surveillance” by encouraging private entities to turn over customer information.  However, the panel replied that the current proposal is a “constructive step forward” in comparison to previous information sharing bills and offers increased protection for customer information.

The Committee also explored the liability protections offered by the White House’s proposal, as Sen. Johnson questioned the panel about whether the proposed liability protections would be “adequate.”  The panel members replied that although the proposal contains basic liability protections, such provisions would be insufficient to encourage private companies to engage in the large-scale information sharing that is needed to combat cyber threats.  Several panel members noted that many private entities already share cyber threat indicators within industry groups and encouraged the Committee to consider providing liability protections for sharing between private entities as well.

The Committee’s hearing comes after over 30 industry associations sent a letter to the Senate, “strongly urg[ing] the Senate to quickly pass a cybersecurity information-sharing bill.”  Such a bill, according to the letter, could allow business to receive cyber threat indicators in real time and protect themselves from cyberattacks while providing “legal certainty” against “frivolous lawsuits” that could result from information sharing.  The letter also called for legislation that would protect civil liberties and privacy while protecting private entities from public disclosure, regulatory and antitrust risks.