The final battle over the Senate’s biggest cybersecurity bill in years is slated to take place Tuesday on the floor of the upper chamber.
And the fever pitch over the Cybersecurity Information Sharing Act (CISA) — which would offer legal liability protections to encourage companies to share data on hacking threats with the government — is reaching its apex just days ahead of a crucial vote.
{mosads}Privacy-minded senators, civil rights groups and a growing number of tech companies are warning the legislation will merely shuttle more of Americans’ personal data to the government without actually bolstering cyber defenses.
But CISA proponents — including a large bipartisan coalition of lawmakers, many industry groups and the White House — insist the bill is a necessary first step if businesses and the government want to stop the deluge of cyberattacks.
These opposing forces will clash on the Senate floor during an action-packed Tuesday, as each side gets to debate their preferred amendments.
In total, eight amendments are scheduled for votes throughout the day, including one manager’s package from CISA co-sponsors Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), that pulled together nearly two dozen edits and amendments from various lawmakers.
After that, Senate leaders will likely move to end debate and try to pass the bill.
Here’s who to watch for as CISA nears the once-elusive finish line.
1. Sen. Ron Wyden (D-Ore.)
Wyden, a staunch privacy advocate beloved by many in the tech sector, has been leading the crusade against CISA in the upper chamber.
The Oregon Democrat was the lone dissenting vote on CISA when the bill passed out of the Senate Intelligence Committee in March. He has since spent months organizing opposition to the bill, while trying to amend it himself.
Wyden succeeded in getting one of his proposals attached to the manager’s amendment offered by Burr and Feinstein. That measure is widely expected to pass on Tuesday.
But Wyden’s push to heighten the requirements for companies to remove personal details before sharing cyber threat data with the government faces long odds as a standalone amendment.
CISA “creates an incentive for companies to dump large quantities of data over to the government with only a cursory review,” Wyden argued on the floor this week.
The CISA critic is holding out hope he can collect enough votes for his alternative language, although many are skeptical.
“I think you’re going to see additional people coming out against this,” he told reporters. “When you have a reactive congress — we’ve all seen these cyber attacks — and somebody says here’s a cybersecurity bill, you always have a big educational challenge.”
2. Sen. Tom Cotton (R-Ark.)
Perhaps the most divisive amendment will come from Cotton. It’s also the standalone amendment with the best chance of passing.
The Arkansas Republican’s proposal would facilitate a direct transfer of cyber threat data between businesses and the FBI and Secret Service. Currently, the bill encourages companies to go through the Department of Homeland Security (DHS), with some limited exceptions.
Industry proponents argue the edit would allow them to communicate efficiently with long-standing law enforcement partners critical to fighting cyber crime.
“The Cotton amendment recognizes that retailers and the FBI and Secret Service are longstanding partners in working together to prevent cyber-attacks,” said Paul Martino, senior policy counsel at the National Retail Federation, one of 10 industry groups that sent a joint letter to senators this week. “Forcing retailers in time-critical situations to abandon these established partnerships with federal law enforcement and work through the new DHS bureaucracy will only add uncertainty and delays.”
But privacy advocates warn the provision would merely let companies and the government skirt important DHS privacy protections. The White House urged lawmakers to oppose Cotton’s offering in the administration’s official CISA endorsement, issued late Thursday.
“The administration will strongly oppose any amendments that would provide additional liability-protected sharing channels, including expanding any exceptions to the DHS portal,” the White House cautioned.
Some CISA backers have even worried the Cotton amendment could cause senators and the White House to pull CISA support, possibly derailing the bill altogether. The concern has led many, including supporters, to believe the proposal will ultimately fail.
3. Sens. Chris Coons (D-Del.), Al Franken (D-Minn.) and Dean Heller (R-Nev.)
This trio of senators is backing three long-shot amendments favored by privacy advocates.
Each has raised red flags about CISA’s broad definitions and what they view as inadequate provisions dictating how the government will handle the data it gets.
“Major concerns,” Sen. Al Franken (D-Minn.) said on the floor Thursday, “still have not been resolved.”
Franken is backing an amendment that would narrow the definition of “cybersecurity threat,” limiting the type of data the government would receive.
The current definition, Franken said, “actually threatens to undermine security by increasing the amount of unreliable information shared with the government.”
Sen. Dean Heller (R-Nev.) is behind a proposal to heighten the bar for government agencies when stripping personal details from the data it receives. The edit, he said this week, would “hold the federal government accountable.”
Sen. Chris Coons (D-Del.) has a similar amendment that he believes would create a stricter privacy standard for DHS when it reviews cyber threat data.
Privacy advocates say these edits, plus Wyden’s desired change, could help the bill, though they would still oppose the measure.
4. The White House hopefuls
Two of the Senate’s four White House candidates have staked out positions against CISA.
Sen. Rand Paul has been the most vocal. The Kentucky Republican has a CISA section on his campaign website where he claims the bill “would transform websites into government spies.”
But his last-ditch bid to alter the bill was stuck down Thursday. Paul was pushing an amendment that would have rescinded CISA’s legal liability protections for companies if those firms violated a user or privacy agreement when sharing its cyber threat data with the government.
CISA “makes your privacy agreement not really worth the paper it’s written on,” he said shortly before the vote.
Some have wondered whether Paul, who initially made a name for his 2016 campaign by speaking out on government surveillance, will take a stand on the Senate floor this week to further denounce the bill.
Sen. Bernie Sanders (I-Vt.) has also come out against CISA, although he has not made it a talking point on the Senate floor.
A third candidate, Sen. Ted Cruz, has drawn heat from the tech community after a video surfaced from Oct. 15 showing the Texas Republican acknowledging his unfamiliarity with CISA.
“I will confess that that is not a bill that I have studied,” he told a crowd in Iowa.
On Thursday, Cruz voted in favor of Paul’s amendment, but also in favor of ending debate on the Burr-Feinstein manager’s package, the first procedural hurdle in getting CISA to a final vote.
Sen. Lindsey Graham (R-S.C.) has not been vocal in the CISA debate — and wasn’t present for Thursday’s votes. But the presidential candidate has long touted the need for cybersecurity legislation and increased cyber defense funding.
5. Apple
A growing number of tech companies have been taking increasingly bold public stances against CISA in recent weeks.
After quietly opposing the bill for weeks, Apple stepped out on Tuesday with a public statement.
“The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy,” the California-based company said in a statement to The Washington Post.
Apple was the latest in a last-minute landslide of individual tech companies that started opposing the bill after several prominent tech industry groups came out out against an unedited CISA. Wikimedia, Yelp, Salesforce and reddit all recently spoke out against CISA, and more could be on the way.
Their opposition has become a leading point of contention on the Senate floor, with Wyden and Franken using tech industry opposition as a central point in their speeches.
Tech firms “have to make sure they’re protecting both cybersecurity and individual privacy,” Wyden said. “Those companies, they know that customer confidence is their lifeblood.”
Feinstein fired back that she was struggling to understand “the moaning and groaning” about a voluntary bill.
“I say if you don’t want to participate, don’t participate,” she said.
Tech companies should want legislation that helps them protect their data, Burr added.
“They are the richest depositories of data in the world,” he said. “I hope they wake up and smell the roses.”
— Updated 3:50 p.m.