After months of delays and high-profile hacks against the government and private companies, the Senate is once again pushing to pass the Cybersecurity Information Sharing Act (CISA), a bill some lawmakers say is a crucial move to shore up America’s internet defenses. Yet a coalition of privacy advocates and tech companies is pushing to kill what its members call yet another mass surveillance measure. The legislation could come to a vote as early as the end of this week.
Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), the chair and vice chair of the Senate Intelligence Committee, introduced the bill on Tuesday afternoon, praising it as a way for companies to share information on cyberattacks more effectively with government agencies and other corporations. Currently, if a company is hacked and tries to share information about the hack with the government or other businesses, it risks being sued on privacy grounds by customers whose data is shared. CISA would give companies legal immunity to pass such information around—and this information, the bill’s backers say, is badly needed to understand attacks and make computer systems less vulnerable.
But privacy advocates and some senators counter that the bill’s privacy protections aren’t nearly stringent enough, allowing the government to use information sharing to gain access to the personal information of millions of Americans.
Feinstein said the bill is “bipartisan, it is narrowly focused, and it puts in place a number of privacy protections.” Burr stressed the “voluntary” nature of CISA, saying companies don’t have to share information if they don’t want to. “If these companies should find no value in it, it’s simple! Don’t participate,” he said. Both senators also highlighted that the bill passed the intelligence committee in May by a bipartisan vote of 14-to-1.
The lone vote against CISA belonged to Sen. Ron Wyden (D-Ore.), who has spent months warning about the potential privacy problems in the bill. “Despite this bill’s name, a broad range of cybersecurity experts agree: CISA will do little to protect you from hackers, and it may even make things worse,” he wrote in an op-ed in July. He picked up the same theme on Tuesday, when he spoke on the Senate floor shortly after the bill was introduced. “I believe this bill will do little to make Americans safer, but will potentially reduce the personal privacy of millions of Americans in very substantial ways,” he said.
Privacy groups and many leading technology companies agree. The Computer and Communications Industry Association, a lobbying group whose members include tech giants Facebook, Amazon, and Google, has come out strongly against the bill. “CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government,” the group wrote in a statement last week. Twitter, Apple, and other tech companies also oppose CISA.
In addition to the bill’s privacy provisions being too broad, they say, CISA would not have prevented the kind of major hacks that have made news in recent months, including the breach of millions of personnel records at the Office of Personnel Management. Feinstein acknowledged these shortcomings on Tuesday when she called CISA “the most effective first legislative step,” to be followed by other fixes. Privacy groups also don’t buy the notion that the bill is voluntary: Amie Stepanovich, the US policy manager for the open-internet advocacy group Access, argued in Wired in August that the government has a history of demanding information sharing in order to take part in vital cybersecurity programs. “Not to comply might actually harm their corporate interests and put their customers at risk,” she wrote.
Experts in the technology industry also contend that CISA’s deck seems stacked in favor of the government. “All the efforts we’ve heard so far are kind of greasing the skids to make it easier for the private sector to give information to the government and not the other way around,” Rick Howard, the chief security officer of Palo Alto Networks, told the Christian Science Monitor in June.
Even CISA’s detractors admit the bill seems likely to pass. As debate on the bill continued on Wednesday, senators from both parties lined up to back it and praise one another for supporting it. “There’s a lot of pressure to do something about cybersecurity, which is why senators may be leaning toward support, even [while] recognizing the bill doesn’t do what it claims it’s going to do,” says Nathan White, a senior legislative manager at Access.
But the bill’s supporters are still racing against the clock to get it finished. Congress must pass a transportation spending bill by the end of the month, and the latest of the never-ending fights over raising the debt limit needs to wrap up by November 5 to avoid a default. On Tuesday, Burr repeatedly urged senators who proposed amendments to the bill to debate them quickly so there can be a vote on CISA by the end of the week. And White sees another reason for supporters to conclude things quickly: “I think the longer it stays open, the more people consider it, and the more they look at it, the harder and harder [it] will be for them to get 60 votes.”
Update, 10/27/15: CISA passed the Senate by an overwhelming 74-21 vote on Tuesday. Passage was widely expected, but privacy advocates had hoped to strengthen privacy protections by passing several amendments, including ones that would impose stricter standards on the scrubbing of personal information, narrow the definition of the cyber threats that warrant information sharing, and remove the bill’s FOIA exemption. While those amendments failed, the Senate did approve a 10-year sunset provision and block an attempt to encourage information sharing with the FBI and Secret Service and not just the Department of Homeland Security.
The bill will now go to a conference with the House of Representatives, which passed different information sharing legislation earlier this year. Privacy adovcates are clinging to the hope that negotiations with the House might produce nothing that Congress can present to President Obama. “This will not be an easy process,” wrote privacy group Access in a statement after Tuesday’s vote. “Arguing against an amendment during debate this morning, Senator [Richard] Burr said that even ‘simple tweaks’ threaten to derail this bill.”