Senate passes first major cyber bill in years

The Senate on Tuesday passed a major piece of cybersecurity legislation intended to stem the flood of cyberattacks on both government agencies and private companies.

The so-called Cybersecurity Information Sharing Act (CISA), a piece of legislation years in the making, passed 74-21. 

The House approved companion legislation in April, so the cybersecurity measure is now on track to reach President Obama’s desk and be signed into law, once a conference report is negotiated.

{mosads}As the Senate closed in on approving CISA, Majority Leader Mitch McConnell (R-Ky.) called the bill “key to defeating cyberattacks and protecting the personal information of the people we represent.”

CISA attempts to open up communication channels between industry and federal agencies by offering legal immunity to companies that share data with the government. Many industry groups have argued this back-and-forth is necessary to better understand and stymie overseas hackers.

Sen. Dianne Feinstein (D-Calif.), who co-sponsored the bill with Sen. Richard Burr (R-N.C.), expressed relief on the Senate floor as her bill finally appeared bound for passage.

“For me this has been a six-year effort, and it hasn’t been easy,” she said.

“This is kind of a new day,” Feinstein concluded later, as the chamber moved to a final vote. “A way to pass a complicated, somewhat technical bill.”  

CISA has been through several failed iterations over the last few Congresses, only gaining traction after the mammoth hacks on the Office of Personnel Management (OPM) this spring.

Supporters of the measure have spent months negotiating privacy issues raised by the legislation.

The bill faced fierce opposition from privacy advocates who painted it as a “surveillance bill” that would funnel more sensitive information to the government.

Other critics have expressed concerns that the bill would do nothing to prevent the kind of hacks — like the OPM breach — that were used to justify its passage.

“Increasingly, when Congress just reacts to a technology issue which is all over the news, instead of getting the win-win — which is more security and more liberty — Congress ends up with a policy that really doesn’t deliver on either count,” leading CISA critic Sen. Ron Wyden (D-Ore.) told The Hill as it became apparent the bill would clear the Senate.

The Senate worked throughout the day on a series of amendments, many of which attempted to stem privacy concerns.

Wyden and his privacy-focused cohort made a last-ditch attempt to inject changes favored by the civil liberties and digital rights community.

While the group struck out in each of its five attempts, several of the amendments received more votes than anticipated. Wyden spun the better-than-expected support from both sides of the aisle as a positive.

“I was pleased that in the home stretch, visible, active support came from all across the political spectrum,” he said. “We’ll just keep building.”

The Oregon Democrat committed to continuing his crusade as the Senate bill is merged with the House offering.

“My sense is we’ve still got a conference, we’ve got a long debate ahead of us,” he told The Hill.

Several smaller privacy edits did make it into the bill via a manager’s package from Burr and Feinstein, CISA’s co-sponsors. The package pulled together nearly two dozen edits and amendments from various lawmakers, the product of several months of negotiations.

The amendment passed by voice vote.

The set of tweaks aims to address a number of the key concerns with how the bill affects digital privacy, including limiting the type of data that can be shared under the bill and clarifying the Department of Homeland Security’s (DHS) role as the primary intake valve for cyber threat data.

As a civilian agency with a major cybersecurity role, DHS is seen as having the most effective privacy oversight mechanisms to review data received under CISA.

Funnelling data through the DHS ensures it will “receive an additional scrub to remove any residual personal information,” Feinstein said Tuesday.

In this spirit, lawmakers blocked a contentious addition from Sen. Tom Cotton (R-Ark.) that would have facilitated a direct transfer of cyber threat data between businesses and the FBI and Secret Service.

Despite the back-and-forth over numerous amendments, the final measure passed easily, with the broad bipartisan support that the bill’s co-sponsors touted throughout debate. 

The bill now heads to a conference with the House, where staffers will work to combine CISA with the two companion bills passed by the House in April.

The process is expected to require “some serious negotiations,” according to one former House cybersecurity staffer. There are some critical discrepancies between the three bills, namely in the leeway they give companies to share data with agencies other than the DHS. 

Shifting House leadership and the technical nature of the bill will also slow down the timeline, Burr told reporters minutes after CISA passed.

“You saw how difficult it was and how technical this can be,” he said.

Digital rights groups are not giving up either, vowing to continue pressing lawmakers to include the most stringent privacy mechanisms from each bill into the final law.

“We’re going to move at a very slow pace,” Burr added, predicting the two chambers wouldn’t resolve their differences before the new year. 

Once the bill is enacted, there are also lingering questions over how many companies will participate. The advocacy group Fight for the Future has said it will try to obtain pledges from companies not to share data under CISA.

“[CISA] flies in the face of where most people are at on this, including the tech industry,” said Tiffiniy Cheng, co-director of Fight for the Future, an advocacy group fighting CISA.

During their final pitches for the bill, Burr and Feinstein emphasized that the program will be entirely voluntary.

“Nobody is mandated to do it,” Burr insisted. “So I speak specifically to those companies right now. You might not like the legislation, but for goodness’ sake, do not deprive every other business in America from having the opportunity to have this partnership.”

Facebook, which operates its own threat-sharing forum to which it has not invited the government, has indicated it is unlikely to participate in CISA.

But the simple fact that Congress even got the bill through both chambers has amazed many observers.

“It’s a notable moment that the issue has come this far,” said Norma Krayem, a tech-focused lobbyist who co-chairs the Data Protection and Cybersecurity division at law firm Holland & Knight. “Two weeks ago, no one I talked to believed me when I said the bill would come to the floor.”