Private entities would also be able to constantly monitor their own systems, and those of other entities if given permission, to ferret out possible cyber threats. If a private company identifies a cyber threat, it could then engage in “countermeasures” to eliminate, prevent or minimize the threat. The draft bill does not elaborate on exactly what those “countermeasures” might include, but does contemplate that they will be executed on both private and government systems, as appropriate. In an attempt to alleviate previous concerns that data sharing would open companies up to litigation under the privacy laws, private entities engaged in monitoring and sharing information about cyber threats consistent with the proposed law would be exempt from suit.
In a joint statement regarding the release of the draft bill, Feinstein and Chambliss indicated that they have circulated the draft to “relevant parties in the executive branch, private industry and the privacy community” for comment, and that once comments are received, the pair will “consider the final legislation.” Given the uncertain timeframe for the collection of comments and introduction of a formal bill, it is unlikely that the Senate will be able to reach an agreement on a comprehensive cybersecurity bill before the end of the year. Additionally, the legislative calendar is already crowded with other priority items such as the annual appropriations process and action on tax extender provisions. Further complicating matters is the approaching 2014 mid-term elections. Nonetheless, cybersecurity does remain a priority for Congress, and additional action could take place late this year, possibly during the lame duck session.