The Senate passed the Cybersecurity Information Sharing Act Wednesday, ending a tortuous process that stretched across two sessions of Congress and dealing a beating to privacy advocates, whose attempts to amend the law were defeated and whose opposition to the bill proved futile.
CISA, which passed by a vote of 74-21, grants legal immunity to private companies who share cyber threat information with the Department of Homeland Security. The House passed two versions of the law earlier this year, but privacy advocates had been pressing for the Senate to either reject the bill entirely or pass amendments tightening controls over personally identifiable information that might get swept up and sent to the government in the automated real-time process the draft law envisages.
Amendments from Sens. Ron Wyden, D-Ore., Al Franken, D-Minn., Dean Heller, R-Nev., and Patrick Leahy, D-Vt., were all voted down Wednesday morning. In the afternoon, amendments from Sens. Tom Cotton, R-Ark. and Chris Coons, D-Del., were also heavily defeated, but a managers’ amendment -— a package of changes backed by the bill’s authors — passed, as did the whole bill.
Many tech companies have stood in line with privacy groups like the ACLU and the New America Foundation, coming out against the bill in the weeks leading up to Wednesday’s vote. However, business interest groups like the National Retail Federation and the U.S. Chamber of Commerce have pressed for its passage.
One tech industry association, the Information Technology Industry Council, commended the Senate shortly after the bill passed, saying it will empower “all stakeholders to better protect and defend cyber networks.”
“The voluntary sharing of cyber threat information helps enable such protection and defense if it safeguards privacy, offers adequate legal liability protection to encourage participation, focuses on actionable and timely information, and promotes continued innovation,” said Dean Garfield, ITI President and CEO, in a release.
He suggested that any remaining privacy concerns could be dealt with by lawmakers in the coming weeks, “We see a key opportunity for bill sponsors and conferees in the House and Senate to come together to address outstanding concerns and send a final bill to the President that best achieves our shared goal of promoting greater cybersecurity.”
Others said the onus was on the private sector to ensure the bill didn’t impinge on Americans’ privacy “We have … heard the message loud and clear that information sharing efforts must not cost us our privacy,” said former White House cybersecurity official Paul Kurtz. “Now that government has played its role by removing legal obstacles to cyber incident collaboration, it is time for industry to work together to create a privacy-preserving information sharing infrastructure.”
Wyden said in a statement that the vote is an “early, flawed step in what is sure to be a long debate.”
“Sharing more personal information with the government heightens the risk that hackers will poach data from an insecure federal database, and adds background noise from information unrelated to cyber threats,” he said after the vote.
“Large numbers of Americans joined leading U.S. tech companies to speak out against this bill, because they know that the U.S. needs real solutions to cyberattacks, and not feel-good legislation that is not up to the task of thwarting digital criminals and foreign hackers. Because of their efforts, a few of this bill’s worst flaws have been removed, and I encourage them to keep making their voices heard so that more of its flaws will be addressed.”
CISA will now join two cybersecurity information sharing bills that moved through the House of Representatives earlier this year, likely in a conference committee between the two chambers where details will be hammered out before the bill makes its way to President Barack Obama’s desk.
At a cybersecurity event held by Deloitte prior to Tuesday’s vote, Rep. Will Hurd, R-Texas, Chairman of the House Committee on Oversight and Government Reform’s IT subcommittee, said he was looking forward to the conference process, which will most likely again focus on PII protections and what agencies are responsible for communicating with the private sector.
“We can protect our civil liberties and infrastructure at the same time,” Hurd said. “We can create a framework in which the federal government can share absolutely all the information they have with the private sector so the private sector can protect itself. Right now, that’s not happening. That’s unacceptable in my opinion.”
A spokesperson from Hurd’s office said that the congressman has expressed interest in being part of the committee, but said with the Speaker of the House in flux, it’s unclear as to when a committee will be picked.
Some security experts expressed their displeasure with the bill’s passage after the vote.
Ben Johnson, Chief Security Strategist with Massachusetts-based security firm Bit9 said the bill does little, if anything, to protect companies’ interests.
“Most cyber-security problems result from poor IT hygiene, lack of skilled people, and security not being as much of a business concern as it should be,” Johnson said. “There are already lots of threat intelligence sharing communities springing up, so this bill won’t really improve much.”
That echoes what leaders of information sharing and analysis centers said last week during a cybersecurity conference in Washington, D.C. Several directors said while they support the bill, a great deal of sharing is already being done by the ISACs without the legislation.