The protracted fight over a stalled cybersecurity bill finally hit the Senate floor Tuesday afternoon, ending months of false starts for the controversial measure.
The Cybersecurity Information Sharing Act (CISA) has been delayed since March because of a packed Senate floor schedule and a fight from privacy advocates over the legislation, which would give companies legal liability protection when sharing cyber threat information with the government in an effort to boost the exchange of hacking data.
{mosads}Private-sector representatives, a bipartisan group of lawmakers and even the White House have long called CISA a necessary first step to better understand and thwart the data breaches that have plagued a broad swath of industries.
“Actors around the world continue to attack U.S. systems, and in many cases penetrate it,” Senate Intelligence Committee Chairman Richard Burr (R-N.C.) said on the floor, making his opening pitch for the bill he co-sponsored. “The amount of personal data that’s being accumulated out there somewhere provides almost a road map to everything about anybody.”
But privacy-minded groups and a growing number of tech companies have fought back, arguing CISA would merely shuttle more of Americans’ personal data to law enforcement and intelligence agencies without actually strengthening cyber defenses.
“The reason they don’t support the bill in its present form is because they know their customers and followers feel that there is inadequate privacy and are going to lose confidence in those products and services,” said leading CISA opponent Sen. Ron Wyden (D-Ore.), referencing opposition from companies like Apple and Twitter, shortly before heading onto the floor to denounce the bill.
“To those companies that find no value in it,” Burr countered on the floor, “don’t participate. It’s that simple. That’s the beauty of voluntary.”
CISA originally came to the Senate floor earlier this year ahead of the August recess. Lawmakers punted on the legislation but agreed to consider at least 22 amendments with no time limit when the legislation was brought back up.
On Tuesday afternoon, shortly before Democrats blocked a bill to crack down on so-called sanctuary cities, Senate Majority Leader Mitch McConnell said CISA would be next in the queue.
McConnell added that the Senate could take a vote on final passage of the cyber bill “as soon as next week.”
“This is legislation that we are confident that we can pass,” he said. “We intend to see it through completion hopefully next week.”
Burr separately told reporters that the Senate could tackle the cyber bill “in a couple of days” if they can get cooperation from lawmakers.
“We’ll work through as expeditiously as we can,” said Burr. But he added that an agreement to limit debate time seemed unlikely.
In a move that will help speed movement of the bill, Burr revealed that Senate leaders had agreed to attach eight of the amendments to a manager’s package from himself and Sen. Dianne Feinstein (D-Calif.), CISA’s other co-sponsor.
But privacy advocates’ favored amendment from Wyden did not make it, meaning it faces an uphill battle.
The proposal would require a system to review all cyber threat data passed to the government and remove any personal information.
Of his two amendments, Wyden told reporters this is the one “I feel most strongly about.”
“We’ve always been told this is about threats, this is about threats to our country, our institutions,” he said. “Why do you need people’s personal information?”
Wyden’s other amendment — which would create a process to notify people whose personal information has been inappropriately shared — will be included in the manager’s package, which is expected to pass.
The inclusion didn’t win over the Oregon Democrat, who blocked Burr’s attempt to schedule a final vote on all amendments and the bill for Thursday morning.
“Even with the manager’s amendment, even with the manager’s amendment, the core privacy issues are not being dealt with,” Wyden said on the floor.
Burr shot back that “nothing in this bill creates any potential for surveillance authorities, despite rumors to the contrary,” pointing to clauses in his amendment that would limit the information that can be shared and restrict what the government can do with that data.
Several other lawmakers from the privacy- and civil liberties-minded cohort were also left out of the manager’s amendment.
Sen. Al Franken (D-Minn.) has an proposal that would narrow the definition of “cyber threat indicator,” a broad category for the data companies will pass to federal agencies.
Sen. Dean Heller (R-Nev.) is supporting an edit that would also raise the standard on companies for removing sensitive data before sharing it with the government.
Most of the amendments tacked on to the manager’s package would create requirements for the government to produce reports on different types of cyber threats and more comprehensive cyber strategies.
Burr and Feinstein also accepted an offering from Sen. Tom Carper (D-Del.), the top Democrat on the Senate Homeland Security and Governmental Affairs Committee, which is based on the text of a bill he introduced in July, the Federal Cybersecurity Enhancement Act.
The measure would require all agencies to adopt certain cybersecurity best practices, while accelerating the rollout of the government’s anti-hacking shield that detects and repels known cyber threats.
Senators will continue to tussle over additional amendments in the coming days, with Wyden expected to make a big push on privacy issues. But most observers believe it’s unlikely CISA opponents will be able to ultimately block or signficantly alter the bill.
“I don’t ever make predictions,” Wyden told reporters. “I know what it’s like to be up against very entrenched interests, but I’ll tell ya, if there are inadequate privacy protections, the people who are going to be held accountable are members of Congress.”
— Jordain Carney contributed