Controversial Cybersecurity Measure Moves Forward in Senate

The Cybersecurity and Information Sharing Act, a controversial bill to give liability protection to companies that share cyberthreat information with the government, passed a key test in the Senate Thursday as the measure moves toward a final vote.

Senators voted 83 to 14 to end debate on an amendment likely to determine the law’s final shape. Shortly afterwards, Senate Intelligence Chairman Richard Burr (R-N.C.) urged lawmakers to reject any amendments to that latest version of the bill ahead of a final vote scheduled for Tuesday.  

Together with Sen. Dianne Feinstein of California, the committee’s top Democrat, Burr has in recent weeks revised the bill to strengthen some privacy protections, limit the government from accessing shared information, and clarify that companies would be prohibited from “hacking back” against perpetrators of cyberspace attacks. These revisions were contained in the amendment that moved forward Thursday.

According to Robyn Greene, policy counsel New America’s Open Technology Institute, the revisions have improved the bill’s civil liberties and transparency assurances but do not go far enough. In a letter to the Senate this week, Greene argued that the bill’s requirements for companies to remove personally identifiable information remain too weak and that its definitions remain too vague as to what is considered a “cybersecurity threat” and “cyber threat information.” The bill authorizes companies to share information under those definitions.

Moreover, Greene said, the Department of Homeland Security should retain control over how and when threat data is shared with other parts of the government, such as the NSA and CIA, to avoid a “militarization” of the information sharing system.

Senate Majority Leader Mitch McConnell said the Senate will carry out a series of votes on additional amendments on Tuesday, and vote on the full law by the end of the day. It still must be reconciled with a slightly different House bill.

CISA has drawn intense opposition from prominent tech companies, including Apple and Dropbox, which argue the bill falls short in protecting users’ personal information. Civil libertarians argue the measure is a surveillance bill in disguise, and fear it would grant U.S. intelligence agencies access to large volumes of data provided to them by American companies.

In recent months, Apple has staked out a series of aggressive positions to protect its users’ privacy, including automatically encrypting phone information by default. That has landed the tech giant in a dispute with law enforcement agencies that are furious about being unable to access phone data in a criminal investigation, even when backed with a court warrant.

“We design our products in such a way that privacy is designed into the product,” Apple CEO Tim Cook told NPR earlier this month. “We think that our customers want us to help them keep their data safe.”

Apple’s decision to oppose CISA is the latest front in its recent effort to protect customer privacy against government efforts to collect intelligence. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy,” Apple said in a statement urging senators to vote against the bill.

Several other technology companies have echoed that sentiment. “We care deeply about the privacy and security of our users,” Dropbox’s public policy chief Amber Cottle said in a statement opposing the bill. “While it’s important for the public and private sector to share relevant data about emerging threats, that type of collaboration should not come at the expense of users’ privacy.”

Other technology companies that have in recent days announced their opposition to CISA include Yelp, Twitter, and Wikipedia. That has become fodder for lawmakers who seek to defeat the legislation, such as Sen. Ron Wyden (D-Ore.) “Just be­cause a pro­pos­al has cy­ber­se­cur­ity in its title doesn’t make it good,” he said Thursday.

Responding, Burr and Feinstein said CISA’s provisions to share cyberthreat information are purely voluntary, and companies like Apple don’t have to participate.

Meanwhile, CISA is strongly backed by other business groups, including the U.S. Chamber of Commerce and the Financial Services Roundtable. Under current law, companies already share attack information with the federal government and within industry groups.

Yet some firms remain nervous about doing so, afraid that data-sharing may expose them to legal action from customers who allege mishandling of private information. Extending liability protections may be one way to expand such information-sharing. Even if it fails to do so, protection from what industry lobbyists call “frivolous lawsuits” over information shared with the government has become a key goal for business groups.

Coming in the aftermath of major breaches at the Office of Personnel Management and several major companies, there is clear political momentum in the Senate to pass cybersecurity legislation.

Nonetheless, computer security experts are nearly unanimous in pointing out that CISA’s information-sharing provisions would not have prevented an attack such as the one against OPM, which exposed the personal information of some 21.5 million federal employees to what U.S. officials say was a group of Chinese hackers.

Feinstein and Burr both conceded this week that CISA would not have prevented some recent, high-profile breaches. Instead, Feinstein said Thursday, it is a “first step” toward improved cybersecurity.

Bill Ingalls/NASA via Getty Images