After months of protest, delay and consideration of more than 20 amendments, the Senate passed its first cybersecurity bill in years — the Cybersecurity Information Sharing Act — Tuesday, and took the next step toward establishing a framework for private companies to share cyber threat data with the government in the hope of preventing future cyber aggression.
The upper chamber passed the bill by a vote of 74 to 21 Tuesday afternoon after months of false starts, Capitol Hill protests and disagreement between privacy-minded lawmakers and surveillance hawks.
Passage of the bill also follows a year of high-profile private and public sector hacks against Sony Pictures, Anthem, the Office of Personnel Management and others likely influencing the bill’s overwhelming passage.
Disagreements between lawmakers came down to the wire ahead of Tuesday afternoon’s vote, which was preceded by a round of votes on privacy amendments aimed at shoring up some of the weaknesses pointed out by senators led by Oregon Democrat Ron Wyden and digital rights groups including the Electronic Frontier Foundation, Fight for the Future, Access and others.
One amendment from Wyden sought to strengthen language requiring companies to remove unrelated personal information about users when they share cyber threat indicators with the government.
Under the current version of the bill, companies can voluntarily share data on attempts at cyber aggression launched against their networks through a portal with the Department of Homeland Security, and are freed from any legal liability associated with sharing personal data about users that may run afoul of their user privacy agreements.
It’s because of that provision digital rights groups staunchly opposed the bill they described as “a surveillance bill masquerading as a cybersecurity bill,” which they assert will become a new avenue for the government to sweep up data, including emails, account passwords and Social Security numbers belonging to Americans.
Passage of the bill included a manager’s amendment encompassing 14 of the 21 amendments Republicans and Democrats agreed to consider before the August recess, including one to set up a filter at DHS to automatically weed out some private information when it meets certain conditions, and before DHS disseminates cyber threat indicators to other agencies.
A vote for Wyden’s toughened language failed, along with other privacy-focused amendments from Democratic Sens. Chris Coons of Delaware, Al Franken of Minnesota, Patrick Leahy of Vermont and Republican Dean Heller of Nevada to make the cyber threat sharing process more transparent, specifically define the types of cyber threat indicators shared and limit the amount of private data DHS can take in.
Another amendment on the opposite side of the aisle from Arkansas Republican Sen. Tom Cotton to let companies share threat data directly with the FBI and Secret Service, without having to go through DHS, also failed. In its passed form, CISA directs companies to share data exclusively through DHS with two exceptions — if the entity falls under the jurisdiction of another federal regulator, or when the entity shares data on a threat it shared before.
The Obama administration and Senate Intelligence Committee Chairman Richard Burr — one of CISA’s chief sponsors — opposed Cotton’s amendment, which they said would kill the chances of ultimately making the bill law, despite Cotton’s insistence one of the House’s companion pieces of legislation has a similar provision.
House lawmakers have already passed two companion bills, and CISA secured the White House’s endorsement before passage. Lawmakers plan to conference on the bill and send it to the president’s desk before the end of fall.
Intelligence and defense leaders have also signaled their support for the bill, including DHS Secretary Jeh Johnson, who encouraged Congress last week to pass the bill during House testimony and in a written statement.
“[CISA] is in my judgement a good piece of legislation,” Johnson said. “I hope the Senate takes it up on the Senate floor, passes it, and it goes to conference with the House’s bill. We need cybersecurity legislation.”
While speaking at “The Ethos and the Profession of Intelligence” at George Washington University Tuesday, CIA Director John Brennan followed Johnson’s lead.
“Congress over the past few years has tried, so far without success, to pass laws addressing the need for comprehensive cyber policy, especially on information sharing between the public and private sectors,” Brennan said during his opening address to the CIA’s second annual conference. “Such an approach is essential if our nation is to better defend itself against foreign cyber threats.”