The leaders of the Senate Select Committee on Intelligence are "close" to reaching agreement on a cybersecurity information-sharing bill with liability protection for industry that is designed to win the support of 60 or more senators, according to Jack Livingston, the panel's minority counsel.
Livingston spoke today at an American Bar Association breakfast, saying afterward that Chairman Dianne Feinstein (D-CA) and Vice Chairman Saxby Chambliss (R-GA) might agree on the bill within a month. A new effort by Feinstein and Chambliss to craft a "bipartisan approach" could succeed where previous legislative attempts have failed, he said.
"We've been working on information sharing for years," Livingston said. "What's different this time, though, is the chairman and the vice chairman are trying to work together. There is a lot of interest on our committee right now about getting a bill done. We have some pretty key senators on our committee."
He cited Sen. Susan Collins (R-ME), a "huge player in the cybersecurity arena," as well as Sen. Tom Coburn (R-OK); Sen. John Rockefeller (D-WV), who has previously spearheaded cybersecurity legislation; and relative newcomer Sen. Angus King (I-ME).
Brian Weiss, a spokesman for Feinstein, confirmed that she and Chambliss have been working together "for a while"on an information-sharing bill that provides some liability protections. Weiss said he could not provide a firm timetable for when those negotiations might conclude.
Although "a lot of political realities" could pose an obstacle, the aim is to win approval for the bill in the full Senate this year, Livingston said at the breakfast, hosted by the ABA's Committee on Law and National Security. If the committee leadership puts forth a bill, it would be up to Senate Majority Leader Harry Reid to schedule a vote, he said, noting that its successful passage could enable a conference process with a House cybersecurity bill.
The legislation, he said, should outline a "neighborhood watch" approach with the public and private sectors that uses liability protection to enable sharing of threat information by eliminating the risk that companies' participation might trigger prosecution from the Justice Department. The bill should also eliminate the risk of sensitive proprietary information shared with the government being subject to release through ordinary Freedom of Information Act requests, he said.
Livingston said legislation should provide companies with clear authorization to search and monitor their networks and systems for malicious cyber threats, to conduct "self defense" and use "countermeasures" on their systems, to share information and countermeasures with the federal government and other entities, and to use that information.
Livingston also said the bill should accelerate the government's ability to declassify threat information. Further, he said, the government must avoid situations in which a company shares data only to have it suddenly classified and subject to counterproductive restrictions.
On the subject or privacy concerns, he said a lot of the "magic" in national security legislation "happens in the definitions." Carefully and narrowly defining threat information and indicators will set the parameters for what will be shared and mitigate the risk of generating privacy concerns, he said.
Livingston argued against including "use limitations" that would prevent data from being used for law enforcement or national security purposes. As for liability protection, he argued against inserting words like "reasonable" that could "inadvertently" create "a cause of action." He also asserted that affirmatively including a "good-faith defense" would imply a cause of action, "guarantee a jury" and create "unfair" expenses for defendants.