Cybersecurity

Biz groups lock horns ahead of cyber vote

The fight over a controversial cyber bill hurtling toward the Senate floor is reaching an apex in Washington, with letters, videos and advertisements blanketing the city.

The Cybersecurity Information Sharing Act (CISA), meant to boost the exchange of data about digital threats between businesses and the government, has been stuck in the upper chamber for months, stalled over privacy concerns and lost in a packed Senate calendar.

{mosads}But according to multiple people with knowledge of the negotiations, Senate Republican leaders may bring up the measure as early as Tuesday, after wrapping discussion on an immigration bill.

That expectation has brought new CISA critics out of the woodwork and caused long-time advocates and opponents to redouble their campaigns to either stymie CISA or push it across the finish line.

For months, the main narrative has been that CISA pitted advocates for privacy and digital rights against industry groups.

Private sector representatives have long called the bill a necessary first step to better understand and thwart the data breaches that have plagued retailers including Target and Home Depot, banks such as JPMorgan Chase, and Anthem, the nation’s second-largest health insurer. The bill would shield companies from legal liability when sharing cyber threat data with the government, protecting them from shareholder lawsuits.

Privacy-minded groups have fought back, arguing CISA would merely shuttle more of Americans’ personal data to law enforcement and intelligence agencies without actually strengthening cyber defenses.

But in the last week, D.C. has been smothered by a series of messages and advertising that has blurred the lines of CISA support and opposition.

In particular, the tech industry, which had mostly stayed out of the CISA debate, has jumped in, revealing broader industry fissures.

The Computer & Communications Industry Association (CCIA), a prominent tech trade group representing major players in Silicon Valley and the telecom and e-commerce sectors, said last week that it was “unable to support” CISA in its current form.

“We’re looking to see improvements to the bill,” said Bijan Madhani, regulatory counsel at CCIA, with members including Silicon Valley bigwigs Facebook, Google and Yahoo, telecom companies such as Sprint, e-commerce giants Amazon and eBay, and Netflix and Microsoft.

Other individual companies, including Apple and the Wikimedia Foundation, which runs Wikipedia, have also come out against the current bill.

Much of their opposition stems from concerns over exactly what information companies could share with the government and how federal officials could use that data.

“People like to have clarity when they’re doing this kind of sharing,” Madhani said. “Right now information gets shared, but it’s sort of less structured.”

Madhani said his organization decided to jump in at the 11th hour because it has had time to view the potential amendments that will be considered when CISA hits the floor.

In August, Democrats and Republicans struck a deal to bring up least 22 amendments, with no cap on discussion time.

Several of these edits would address the CCIA’s concerns, but may not necessarily win over the entire tech community.

A manager’s amendment from CISA co-sponsors Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.) would restrict how the government can share and use the data gathered under CISA. Sen. Al Franken (D-Minn.) is also backing an amendment to narrow the definition of “cybersecurity threat indicator,” a broad category for the data companies will pass to federal agencies.

The sudden input from the tech industry has given privacy advocates and staunch CISA detractors more ammunition for what was once seen as a losing cause.

Advocacy groups including Fight for the Future and the Electronic Frontier Foundation have been putting the thumbscrews on both lawmakers and private companies to oppose CISA, bombing legislative offices with faxes and emails and orchestrating boycotts.

“I think over the last couple weeks, the dynamic on this has really shifted,” Fight for the Future campaign director Evan Greer told The Hill. “It’s clear to us that CISA is increasingly becoming seen as a sinking ship.”

Earlier this month, Fight for the Future pressed BSA The Software Alliance about a letter it issued on the general value of cyber information-sharing legislation. The pressure caused BSA  to specify that it does not support CISA and several signers to denounce the letter and come out against the bill. 

Fight for the Future is continuing its anti-CISA campaign this week, pressing Democratic presidential hopeful Hillary Clinton on Monday to join rival Bernie Sanders  in taking a position against the bill.

The Electronic Frontier Foundation, another prominent digital rights organization, is also actively campaigning for companies to oppose the legislation. Legislative analyst Mark Jaycox told The Hill he expects to see more companies publicly opposing CISA in the coming weeks.

Privacy advocates have expressed limited support for a handful of amendments, notably a pair from leading  CISA detractor Sen. Ron Wyden (D-Ore.) that would require companies to strip personal details from threat data and require a way for notify anyone whose information might be inappropriately shared.

Jaycox says that although “there’s no doubt” Wyden’s amendments are “the strongest,” they still don’t define how data will be used.

Not to be outdone, the private sector’s CISA proponents have intensified efforts to get the  bill through the upper chamber.

Financial industry groups signed on to a letter that hit senators’ offices last week. Capitol Hill staffers, meanwhile, have been passing ads plastered throughout the Capitol South Metrorail stop urging CISA’s passage.

And on Monday, the Financial Services Roundtable (FSR), which represents top banks, insurers and credit card companies, launched a multiweek advertising push that will include radio spots and social media and video ads.

Jason Kratovil, FSR vice president of government affairs for payments, said the group is seeking to allay the privacy concerns that have dogged CISA for months, arguing that companies have “no desire” to share personal data with the government.

“There’s nothing identifiable in it,” he said. “We’re talking about bits and bytes.”

All major industries — finance, retail, energy — are under “constant attack” from hackers and foreign governments, -Kratovil added.

“We need a set of legal rules of the road to make sure that we all are able to help each other to stop the bad guys from getting in and potentially taking data and harming consumers,” he said.

Fight for the Future has already pushed back on the FSR campaign.

“It could have been a really good trailer for a Bruce Willis movie, but it doesn’t actually say anything about what CISA would do to improve our cybersecurity — and that’s because it wouldn’t do anything,” Greer said.

If CISA hits the floor, these opposing forces will meet, and Wyden believes the impact could derail the bill.

“When we have that debate, people are going to see how flawed the bill is,” he told reporters earlier this month.

Burr has confidently vowed the Senate can plow through any potential edits despite the disagreements.

“We can process 21 amendments in a matter of days as long as we have the cooperation of our members,” he said.