Senate Takes Up Consideration of Controversial Cybersecurity Bill
Business groups want liability protection to share information with the government, but the bill is unlikely to deliver major security benefits.
After years of delay and opposition from privacy groups, the Senate began debate Tuesday on a controversial cybersecurity bill to give companies broad immunity to share cyberthreat information with the federal government.
Speaking to reporters at the Capitol, Senate Majority Leader Mitch McConnell (R-Ky.) said he hoped to have the measure passed by early next week. It would still need to be reconciled with a slightly-different bill already approved by the House.
The Senate proposal, the Cybersecurity Information Sharing Act, is co-sponsored by Senate Intelligence Chairman Richard Burr (R-N.C.) and that panel’s top Democrat, Sen. Dianne Feinstein of California. Both on Tuesday sought to rebut claims about the bill’s privacy impacts that have dogged the measure throughout the year.
In recent days, several major tech companies and trade associations have declared opposition to the measure. Burr, however, the bill cannot force companies to share threat information, and that doing so would happen on a purely voluntary basis.
CISA is also opposed by privacy groups that fear the plan will hand the government additional power to hoover up intelligence information, including personal information about Americans who have been victims of cyberattacks. Security experts, meanwhile, are deeply skeptical the measure will deliver security improvements that could prevent the kind of major data breaches that have catapulted cybersecurity issues to the forefront of the public debate.
The business community, in a lobbying effort led by the U.S. Chamber of Commerce, is clamoring for CISA to be passed, largely because it protect companies from lawsuits. Under current laws, companies already share attack information with the federal government and within industry groups.
Yet some firms remain nervous about doing so, afraid that data-sharing may expose them to legal action from customers who allege mishandling of private information. Extending liability protections may be one way to expand such information-sharing. Even if it fails to do so, protection from what industry lobbyists call “frivolous lawsuits” over information shared with the government has become a key goal for business groups.
On Tuesday, Feinstein conceded that the measure is unlikely to deliver huge security dividends. “This legislation is a first step toward improving cybersecurity,” Feinstein said. “It’s not a panacea.”
To speed passage of the bill, Senate staffers recently have been negotiating as many as 22 amendments into the so-called “Manager’s Amendment,” a modification to the bill offered by Burr and Feinstein. On Tuesday, they agreed to add several provisions to strengthen privacy protections, including ensuring that personally identifying information is removed before those cyberthreat data are distributed throughout the government. The new plan also requires the federal government notify individuals whose personal information was inappropriately provided to officials.
“As always, the devil is in the details,” Robyn Greene, policy counsel at New America’s Open Technology Institute, wrote in an email. She said the new proposal appears stronger but, overall, the amendments “mostly nibble around the edges,” rather than raising “the standard that companies must meet to protect Americans’ personal information” and ensuring “that military and intelligence agencies like the NSA don’t unnecessarily receive and use it.”
Several proposals to further strengthen the bill’s privacy protections were rejected, including one to more sharply reduce any possibility that personally identifiable information could be shared among government agencies.
“If you can’t secure it, don’t collect it,” said Sen. Ron Wyden (D-Ore.), a privacy advocate who opposes the legislation. He warned that information collected by the government may very well be targeted by hackers out to harvest personally identifiable information.
CISA’s formal introduction to the Senate floor sets up what is likely to be an intense fight over what is included in the final law. The debate over the measure has grown deeply polarized: In a floor speech Tuesday, Wyden said the bill has “widespread opposition,” drawing an audible scoff from Feinstein. And when Wyden read a letter from the American Library Association warning the bill would give American intelligence agencies additional power, she gasped and exclaimed, “What?”
Burr said he hopes the Senate will consider amendments to CISA on Thursday morning. Speaking to reporters in the Capitol, Sen. Dick Durbin, the Senate’s No. 2 Democrat, acknowledged the measure has become “fraught with controversy” and noted lawmakers will deal with a large number of amendments as they race through a packed legislative calendar for the rest of the year.
Win McNamee/Getty Images