​Security breaches prompt unprecedented lobbying for CISA bill

Reuters/Jonathan Ernst
Iterations of the Cybersecurity Information Sharing Act, or CISA, currently being considered on Capitol Hill, have come and go over the last few congressional sessions, but corporations are lobbying in favor of the bill harder than ever before.

In the first quarter of 2015, corporations have lobbied on behalf of CISA to the tune of triple the support that’s been showed in years past for cyber-sharing bills, according to disclosure forms analyzed by The Hill ahead of a report published on Tuesday.

Indeed, records hosted on the transparency website OpenSecrets reveal that 181 unique entities have registered to lobby on behalf of CISA so far in 2015 - a significant leap from years past when 33 and 117 corporations registered to lobby on previous incarnations of the bill during the 112th and 113th congressional sessions, respectively.

READ MORE: CISA text released: Cyber bill revisions fail to impress privacy campaigners

If approved in the House and Senate and authorized by President Barack Obama, CISA would offer incentives for corporations that exchange cyber threat information with the United States government. Amid a series of high-profile security breaches, the effort is being touted as a solution by serving as a means of letting cyber experts and infrastructure administered by the federal government assist in analyzing, preventing and remediating attacks launched against private sector computers. In exchange, the companies would be shielded from legal liability. Critics have raised concerns about this bill as in years past, however, mainly over fears that codifying data sharing would put too much sensitive personal bits and bytes into the hands of Uncle Sam.

While the matter of potentially magnifying the government’s ability to sniff web data has been an issue of contention in years past, the hacks of Sony Pictures Entertainment, Target, Home Depot and other big name corporations and retailers in recent months has renewed an interest in securing the nation’s networks by any means necessary.

Lobbying disclosure records available online show that the 181 organizations that have registered to promote CISA including industry titans AT&T, Microsoft, Comcast, Cisco, General Motors, Google, the American Insurance Association, Intel, JPMorgan Chase, Pepsico, J Penney and Monsanto, among dozens of others.

Those firms, a health insurance official told The Hill, are “making sure there’s a way to share data on potential threats to help identify them beforehand ... [to] make sure there are those open lines of communications.”

READ MORE: 'Privacy killer': Senate panel quitely passes CISA 'cybersecurity' bill amid fresh surveillance fears

“In all of these cases, what has emerged is a sense of where we need to focus more of our attention is actually on the data-sharing element between the public and private sector,” the insurance official said.

At an event at Georgetown University last month, two of the top attorneys with the US Dept. of Justice urged corporations to forge relationships with law enforcement partners, regardless of whether CISA is passed, to ensure concerns of a potential breach can be brought up more easily.

“You need to have a point-of-contact in law enforcement before you're hacked,”
Assistant Attorney General Leslie Caldwell of the DoJ's criminal division said, “... to know what you're supposed to do.”

CISA was approved nearly unanimously by the Senate Intelligence Committee in March but has yet to be considered by the full chamber. The panel’s chair, Sen. Dianne Feinstein (D-California), said previously in a statement that the latest version of the bill “address[es] many of the concerns that had been raised in regard to earlier drafts,” specifically with regards to privacy. Sen. Ron Wyden (D-Oregon), the lone “nay” vote among the committee, said the proposal was “a surveillance bill by another name.”

Meanwhile, a similar bill being weighed in the House, the Protecting Cyber Networks Act, advanced last month by a vote of 307-116. If authorized, it too would provide corporations with legal liability in the event that they share threat information with the government.