Senate Advances Bill to Shield Firms Sharing Cyber Threats with NSA

The Senate is advancing legislation that would let companies and the U.S. government share information about hacking threats, even as privacy advocates say the plan could enable the National Security Agency to sweep up information about innocent Americans.

Bank of America Corp., Visa Inc. and other companies operating critical U.S. computer systems would be given legal protections for sharing hacking threats with each other and the government under a bill backed yesterday by the Senate’s intelligence committee.

Supporters including the American Bankers Association and the Financial Services Roundtable are at odds with the American Civil Liberties Union and other privacy advocates over the bill.

“We have seen how the federal government has exploited loopholes to collect Americans’ private information in the name of security,” Democratic Senators Ron Wyden of Oregon and Mark Udall of Colorado said in a statement yesterday after voting against the bill. “Without these protections in place, private companies will rightly see participation as bad for business.”

The bill is designed to address concern that disclosing hacking vulnerabilities could expose companies to lawsuits or that communications with competitors could invite antitrust actions.

While companies won’t be obligated to share data under the bill, there’s clearly a need. Cybercrime costs banks, retailers, energy companies and other sectors as much as $575 billion a year and rising, according to a report published last month by the Washington-based Center for Strategic and International Studies and sponsored by network security company McAfee Inc.

Wyden and Udall said the bill “lacks adequate protections for the privacy rights of law-abiding Americans” and “will not materially improve cybersecurity.”

The NSA has faced a domestic and international backlash over revelations that it collected the phone records of millions of Americans and intercepted the Internet communications of U.S. citizens without warrants.

Supporters defended the bill. “If we take no action then cyber-attacks are going to continue to occur,” Senator Saxby Chambliss of Georgia, the top Republican on the Senate’s intelligence committee, told reporters yesterday. “There is the potential for the American economy to be severely interrupted.”

The bill specifies conditions under which companies would be given legal protections for monitoring networks and sharing hacking threat data. “Such sharing is for cybersecurity purposes only and companies must take appropriate measures to protect against the sharing of personally identifying information,” according to a summary from the intelligence committee.

“This is the first bill in a very difficult arena,” Senator Dianne Feinstein, a California Democrat and chairman of the committee, told reporters. “It’s very much a first step. Later on there may be other steps that need to be taken.”

Feinstein and Chambliss defended a provision that would allow hacking threat data to be shared in real time with the NSA and other agencies.

The bill “is not perfect for anybody” and compromises were made “between what the business sector wanted and what the privacy folks wanted,” Chambliss said.

The bill would limit the government’s ability to use information it receives for “cyber-related purposes to ensure it does not engage in inappropriate investigations or regulation,” according to the summary.

While Feinstein and Chambliss said the bill could be amended on the Senate floor, they believe it will reach President Barack Obama’s desk this year. The House passed its version last year.

The Senate bill “is a very good step forward,” three top industry officials wrote in a letter of support July 7 to Feinstein and Chambliss.

“The threat of cyber-attacks is a clear and present danger to our industry and to other critical infrastructure providers that we and the nation as a whole rely upon,” according to the letter from Frank Keating, president and chief executive officer of the American Bankers Association; Tim Pawlenty, president and CEO of the Financial Services Roundtable; and Kenneth Bentsen, president and CEO of the Securities Industry and Financial Market Association.

SIFMA, Wall Street’s biggest trade group, has proposed a government-industry cyberwar council to stave off terrorist attacks that could trigger financial panic by temporarily wiping out account balances, according to an internal document.

The bill would authorize the Department of Homeland Security to serve as the primary federal civilian agency for coordinating information-sharing by creating a “portal” to interface with companies. That would enable the five-year-old DHS National Cybersecurity and Communications Integration Center to bolster its role as an anti-hacking coordinator between U.S. banks, utilities and other companies operating the networks that millions of Americans use daily.

“If we don’t know what’s going on, we can’t respond to it,” Larry Zelvin, director of the center, said in an interview. “Sometimes we don’t know about an attack until it comes up in the news or social media.”

Recent examples have shown the growing threat of hackers. A Russian group known as “Energetic Bear” is attacking energy companies in the U.S. and Europe and may be capable of disrupting power supplies, security company Symantec Corp. said in a blog post last month.

The hackers, also called “Dragonfly,” appear to have the resources, size and organization that suggest government involvement. The attackers are targeting grid operators, petroleum pipeline operators, electricity generation firms and other “strategically important” energy companies, the company said.

The U.S. Department of Justice in May indicated five Chinese military officials for stealing the trade secrets of major global companies like U.S. Steel Corp. and Alcoa Inc. One of the indicated hackers known as UglyGorilla was seeking access to parts of a U.S. utility that would let him cut off heat or explode pipelines.

Almost two dozen privacy advocates including the Electronic Frontier Foundation and the ACLU told Feinstein and Chambliss in a June 26 letter they “strongly oppose” the bill because it could allow private communications to flow to the National Security Agency and law-enforcement agencies. It also doesn’t have adequate controls to protect personal data or limit how information is used, and gives companies overly broad liability protection, the groups wrote.