The Cable

The Cable goes inside the foreign policy machine, from Foggy Bottom to Turtle Bay, the White House to Embassy Row.

Controversial Cybersecurity Measure Moves Forward in Senate

CISA would give companies liability protection for sharing cybersecurity information with the government.

GettyImages-482592514crop

The Cybersecurity and Information Sharing Act, a controversial bill to give liability protection to companies that share cyberthreat information with the government, passed a key test in the Senate Thursday as the measure moves toward a final vote.

Senators voted 83 to 14 to end debate on an amendment likely to determine the law’s final shape. Shortly afterwards, Senate Intelligence Chairman Richard Burr (R-N.C.) urged lawmakers to reject any amendments to that latest version of the bill ahead of a final vote scheduled for Tuesday.  

Together with Sen. Dianne Feinstein of California, the committee’s top Democrat, Burr has in recent weeks revised the bill to strengthen some privacy protections, limit the government from accessing shared information, and clarify that companies would be prohibited from “hacking back” against perpetrators of cyberspace attacks. These revisions were contained in the amendment that moved forward Thursday.

The Cybersecurity and Information Sharing Act, a controversial bill to give liability protection to companies that share cyberthreat information with the government, passed a key test in the Senate Thursday as the measure moves toward a final vote.

Senators voted 83 to 14 to end debate on an amendment likely to determine the law’s final shape. Shortly afterwards, Senate Intelligence Chairman Richard Burr (R-N.C.) urged lawmakers to reject any amendments to that latest version of the bill ahead of a final vote scheduled for Tuesday.  

Together with Sen. Dianne Feinstein of California, the committee’s top Democrat, Burr has in recent weeks revised the bill to strengthen some privacy protections, limit the government from accessing shared information, and clarify that companies would be prohibited from “hacking back” against perpetrators of cyberspace attacks. These revisions were contained in the amendment that moved forward Thursday.

According to Robyn Greene, policy counsel New America’s Open Technology Institute, the revisions have improved the bill’s civil liberties and transparency assurances but do not go far enough. In a letter to the Senate this week, Greene argued that the bill’s requirements for companies to remove personally identifiable information remain too weak and that its definitions remain too vague as to what is considered a “cybersecurity threat” and “cyber threat information.” The bill authorizes companies to share information under those definitions.

Moreover, Greene said, the Department of Homeland Security should retain control over how and when threat data is shared with other parts of the government, such as the NSA and CIA, to avoid a “militarization” of the information sharing system.

Senate Majority Leader Mitch McConnell said the Senate will carry out a series of votes on additional amendments on Tuesday, and vote on the full law by the end of the day. It still must be reconciled with a slightly different House bill.

CISA has drawn intense opposition from prominent tech companies, including Apple and Dropbox, which argue the bill falls short in protecting users’ personal information. Civil libertarians argue the measure is a surveillance bill in disguise, and fear it would grant U.S. intelligence agencies access to large volumes of data provided to them by American companies.

In recent months, Apple has staked out a series of aggressive positions to protect its users’ privacy, including automatically encrypting phone information by default. That has landed the tech giant in a dispute with law enforcement agencies that are furious about being unable to access phone data in a criminal investigation, even when backed with a court warrant.

“We design our products in such a way that privacy is designed into the product,” Apple CEO Tim Cook told NPR earlier this month. “We think that our customers want us to help them keep their data safe.”

Apple’s decision to oppose CISA is the latest front in its recent effort to protect customer privacy against government efforts to collect intelligence. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy,” Apple said in a statement urging senators to vote against the bill.

Several other technology companies have echoed that sentiment. “We care deeply about the privacy and security of our users,” Dropbox’s public policy chief Amber Cottle said in a statement opposing the bill. “While it’s important for the public and private sector to share relevant data about emerging threats, that type of collaboration should not come at the expense of users’ privacy.”

Other technology companies that have in recent days announced their opposition to CISA include Yelp, Twitter, and Wikipedia. That has become fodder for lawmakers who seek to defeat the legislation, such as Sen. Ron Wyden (D-Ore.) “Just be­cause a pro­pos­al has cy­ber­se­cur­ity in its title doesn’t make it good,” he said Thursday.

Responding, Burr and Feinstein said CISA’s provisions to share cyberthreat information are purely voluntary, and companies like Apple don’t have to participate.

Meanwhile, CISA is strongly backed by other business groups, including the U.S. Chamber of Commerce and the Financial Services Roundtable. Under current law, companies already share attack information with the federal government and within industry groups.

Yet some firms remain nervous about doing so, afraid that data-sharing may expose them to legal action from customers who allege mishandling of private information. Extending liability protections may be one way to expand such information-sharing. Even if it fails to do so, protection from what industry lobbyists call “frivolous lawsuits” over information shared with the government has become a key goal for business groups.

Coming in the aftermath of major breaches at the Office of Personnel Management and several major companies, there is clear political momentum in the Senate to pass cybersecurity legislation.

Nonetheless, computer security experts are nearly unanimous in pointing out that CISA’s information-sharing provisions would not have prevented an attack such as the one against OPM, which exposed the personal information of some 21.5 million federal employees to what U.S. officials say was a group of Chinese hackers.

Feinstein and Burr both conceded this week that CISA would not have prevented some recent, high-profile breaches. Instead, Feinstein said Thursday, it is a “first step” toward improved cybersecurity.

Bill Ingalls/NASA via Getty Images

 Twitter: @EliasGroll

More from Foreign Policy

Volker Perthes, U.N. special representative for Sudan, addresses the media in Khartoum, Sudan, on Jan. 10.

Sudan’s Future Hangs in the Balance

Demonstrators find themselves at odds with key U.N. and U.S. mediators.

In an aerial view, traffic creeps along Virginia Highway 1 after being diverted away from Interstate 95 after it was closed due to a winter storm.

Traffic Jams Are a Very American Disaster

The I-95 backup shows how easily highways can become traps.

Relatives and neighbors gather around a burned vehicle targeted and hit by an American drone strike in Kabul.

The Human Rights vs. National Security Dilemma Is a Fallacy

Advocacy organizations can’t protect human rights without challenging U.S. military support for tyrants and the corrupt influence of the defense industry and foreign governments.

un-sanctions-inspectors-china-foreign-policy-illustration

The Problem With Sanctions

From the White House to Turtle Bay, sanctions have never been more popular. But why are they so hard to make work?