The Senate is advancing legislation that would let companies andthe U.S. government share information about hacking threats, evenas privacy advocates say the plan could enable the NationalSecurity Agency to sweep up information about innocentAmericans.

Bank of America Corp., Visa Inc. and other companies operatingcritical U.S. computer systems would be given legal protections forsharing hacking threats with each other and the government under abill backed yesterday by the Senate's intelligence committee.

Supporters including the American Bankers Association and theFinancial Services Roundtable are at odds with the American CivilLiberties Union and other privacy advocates over the bill.

“We have seen how the federal government has exploited loopholesto collect Americans' private information in the name of security,”Democratic Senators Ron Wyden of Oregon and Mark Udall of Coloradosaid in a statement yesterday after voting against the bill.“Without these protections in place, private companies will rightlysee participation as bad for business.”

The bill is designed to address concern that disclosing hackingvulnerabilities could expose companies to lawsuits or thatcommunications with competitors could invite antitrust actions.

While companies won't be obligated to share data under the bill,there's clearly a need. Cybercrime costs banks, retailers, energycompanies and other sectors as much as $575 billion a year andrising, according to a report published last month by theWashington-based Center for Strategic and International Studies andsponsored by network security company McAfee Inc.

NSA Backlash

Wyden and Udall said the bill “lacks adequate protections forthe privacy rights of law-abiding Americans” and “will notmaterially improve cybersecurity.”

The NSA has faced a domestic and international backlash overrevelations that it collected the phone records of millions ofAmericans and intercepted the Internet communications of U.S.citizens without warrants.

Supporters defended the bill. “If we take no action thencyber-attacks are going to continue to occur,” Senator SaxbyChambliss of Georgia, the top Republican on the Senate'sintelligence committee, told reporters yesterday. “There is thepotential for the American economy to be severely interrupted.”

The bill specifies conditions under which companies would begiven legal protections for monitoring networks and sharing hackingthreat data. “Such sharing is for cybersecurity purposes only andcompanies must take appropriate measures to protect against thesharing of personally identifying information,” according to asummary from the intelligence committee.

“This is the first bill in a very difficult arena,” SenatorDianne Feinstein, a California Democrat and chairman of thecommittee, told reporters. “It's very much a first step. Later onthere may be other steps that need to be taken.”

Feinstein and Chambliss defended a provision that would allowhacking threat data to be shared in real time with the NSA andother agencies.

The bill “is not perfect for anybody” and compromises were made“between what the business sector wanted and what the privacy folkswanted,” Chambliss said.

The bill would limit the government's ability to use informationit receives for “cyber-related purposes to ensure it does notengage in inappropriate investigations or regulation,” according tothe summary.

While Feinstein and Chambliss said the bill could be amended onthe Senate floor, they believe it will reach President BarackObama's desk this year. The House passed its version last year.

Step Forward

The Senate bill “is a very good step forward,” three topindustry officials wrote in a letter of support July 7 to Feinsteinand Chambliss.

“The threat of cyber-attacks is a clear and present danger toour industry and to other critical infrastructure providers that weand the nation as a whole rely upon,” according to the letter fromFrank Keating, president and chief executive officer of theAmerican Bankers Association; Tim Pawlenty, president and CEO ofthe Financial Services Roundtable; and Kenneth Bentsen, presidentand CEO of the Securities Industry and Financial MarketAssociation.

SIFMA, Wall Street's biggest trade group, has proposed agovernment-industry cyberwar council to stave off terrorist attacksthat could trigger financial panic by temporarily wiping outaccount balances, according to an internal document.

The bill would authorize the Department of Homeland Security toserve as the primary federal civilian agency for coordinatinginformation-sharing by creating a “portal” to interface withcompanies. That would enable the five-year-old DHS NationalCybersecurity and Communications Integration Center to bolster itsrole as an anti-hacking coordinator between U.S. banks, utilitiesand other companies operating the networks that millions ofAmericans use daily.

“If we don't know what's going on, we can't respond to it,”Larry Zelvin, director of the center, said in an interview.“Sometimes we don't know about an attack until it comes up in thenews or social media.”

Recent examples have shown the growing threat of hackers. ARussian group known as “Energetic Bear” is attacking energycompanies in the U.S. and Europe and may be capable of disruptingpower supplies, security company Symantec Corp. said in a blog postlast month.

'Strategically Important'

The hackers, also called “Dragonfly,” appear to have theresources, size and organization that suggest governmentinvolvement. The attackers are targeting grid operators, petroleumpipeline operators, electricity generation firms and other“strategically important” energy companies, the company said.

The U.S. Department of Justice in May indicated five Chinesemilitary officials for stealing the trade secrets of major globalcompanies like U.S. Steel Corp. and Alcoa Inc. One of the indicatedhackers known as UglyGorilla was seeking access to parts of a U.S.utility that would let him cut off heat or explode pipelines.

Almost two dozen privacy advocates including the ElectronicFrontier Foundation and the ACLU told Feinstein and Chambliss in aJune 26 letter they “strongly oppose” the bill because it couldallow private communications to flow to the National SecurityAgency and law-enforcement agencies. It also doesn't have adequatecontrols to protect personal data or limit how information is used,and gives companies overly broad liability protection, the groupswrote.

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.