The Senate is on the cusp of passing its biggest cybersecurity bill to date, following years of debate and countless revisions to the contentious legislation.
The Cybersecurity Information Sharing Act (CISA) would encourage companies to share their data on hackers with the government. With the House having already approved its companion legislation and the White House on board, the Senate’s is the final OK needed for Congress to enact its first major cybersecurity bill in years.
“We have been at this for six years,” said Sen. Dianne Feinstein (D-Calif.), a CISA co-sponsor, on the floor last week. “This is the third bill. We have been bipartisan.”
{mosads}CISA backers, which include many industry groups and a bipartisan coalition of lawmakers, believe the bill is the necessary first step to better understand and stymie the mammoth hacks that have plagued U.S. retailers including Target and Home Depot, as well as government agencies including the Office of Personnel Management.
But a vocal alliance of digital rights groups, tech companies and privacy-minded senators have led a late-surging campaign to block the bill, which they believe will shuttle more private data to the government without actually boosting cybersecurity.
But after months of delays on the bill, it appears the anti-CISA cohort has finally run out of options to further stall the upper chamber.
Leading critic Sen. Ron Wyden (D-Ore.) and his colleagues opposing the bill will get their last shot at strengthening CISA’s privacy provisions on Tuesday. Wyden remains hopeful he can cobble together a coalition to push through his preferred amendments — or halt the bill yet again.
“I think you’re going to see additional people coming out against this,” he told reporters late last week. “When you have a reactive Congress — we’ve all seen these cyberattacks — and somebody says here’s a cybersecurity bill, you always have a big educational challenge.”
But Wyden’s proposal and other privacy-focused amendments aren’t expected to pass, and CISA will likely be approved by a significant margin.
For supporters, Tuesday is the culmination of years of work, a process that began long before the high-profile hack at Sony Pictures Entertainment made cybersecurity a gossip item.
CISA’s origins trace back to a years-long fight over a 2012 bill from then-Sen. Joe Lieberman (I-Conn.), who chaired the Homeland Security and Governmental Affairs Committee, and Sen. Susan Collins (R-Maine).
Since then, pressure has gradually mounted on Congress to do something to stem the tide of cyberattacks that have battered American businesses. According to recent research that IBM commissioned from the Ponemon Institute, the average fallout cost from a data breach now runs to nearly $6.5 million for a U.S. firm, up 11 percent over the previous year.
The financial losses have helped bring industry groups around on a cyber information-sharing bill. After joining privacy advocates in opposing the Lieberman-Collins effort, groups such as the U.S. Chamber of Commerce are now some of the biggest supporters of passing CISA.
“CISA goes far in addressing the legal and policy cybersecurity priorities that the Chamber has been advocating for several years,” the Chamber said in a letter sent to senators last week.
Lawmakers have worked to tighten the legal liability protection language that CISA would grant companies sharing cyber threat data with the government. Such immunity was critical to gaining the support of industry groups worried about excessive shareholder lawsuits under the measure.
Feinstein, the top Democrat on the Senate Intelligence Committee, has also worked with two consecutive chairmen — former Sen. Saxby Chambliss (R-Ga.) and current Chairman Richard Burr (R-N.C.) — to boost the privacy provisions in the final bill. That language was essential to convincing some prominent on-the-fence Democrats and the White House to support the bill.
After Burr’s committee approved the bill in March, he joked that Feinstein “has stretched me so far” on privacy concessions, “I feel like I’ve had cosmetic surgery.”
Still, Burr and Feinstein have since had to fight off other privacy concerns from both sides of the aisle. In a bid to allay these fears, the duo will use a manager’s package — essentially a bundle of edits from various senators — to further limit what data the government can collect and how it can be used. The package is widely expected to be adopted in a Tuesday vote.
The work helped win over party leaders, like Sen. Tom Carper, the ranking member of the Homeland Security panel.
The Delaware Democrat had backed a competing cyber bill earlier this year, and initially expressed reservations about CISA. But on the Senate floor last week, Carper gave a full-throated endorsement of the measure, saying Feinstein’s edits had made it a “significantly smarter and stronger bill.”
The White House also cited the pair’s efforts in its official CISA endorsement, issued late last week.
But their efforts haven’t won over Wyden and his coalition of privacy-minded senators, including Al Franken (D-Minn.), Patrick Leahy (D-Vt.) and Dean Heller (R-Nev.), as well as Sens. Rand Paul (R-Ky.) and Bernie Sanders (I-Vt.), both presidential candidates.
“When it comes to real privacy protection for millions of Americans with this [manager’s package], there is simply no ‘there’ there,” Wyden said on the floor Thursday.
The Burr-Feinstein edits have also failed to attract goodwill from the digital rights and civil liberties community, which has tarred CISA as a surveillance bill.
Because of provisions requiring data shared under CISA to be spread government-wide, said Greg Nojeim, senior counsel at the Center for Democracy & Technology, “the bill will channel more Internet user communications information to the [National Security Agency] and other elements of intelligence community and law enforcement needlessly.”
“Important amendments would lessen that likelihood, but at the end of the day, the world that we’ll face is one in which instead of minimizing the flow of user information to the NSA, the bill will mandate it,” he added.
If CISA is approved on Tuesday, the bill will head to a conference with the House. The lower chamber easily passed its two companion bills in April, and staffers will work to combine the three bills into a final measure for President Obama.
Both backers and opponents of the legislative efforts have raised doubts about whether the two sides can smoothly merge the three bills. There are some significant discrepancies between them regarding how businesses pass information to the government that will require “some serious negotiations,” as one former House staffer put it.
Digital rights groups say they will keep up the pressure throughout this process, urging lawmakers to include the most stringent privacy mechanisms from each bill in the final law. One advocate, Fight for the Future, will also work to obtain pledges from companies to not share data under CISA.
But for CISA proponents, Tuesday will likely serve as a deep sigh of relief, the final period on the prolonged negotiations that shepherded this cybersecurity legislation through Congress.
“This is a good bill,” Feinstein said. “It is a first step. It is not going to prevent all cyberattacks or penetrations, but it will allow companies and the government to share information about the cyber threats they see.”