The Cable

The Cable goes inside the foreign policy machine, from Foggy Bottom to Turtle Bay, the White House to Embassy Row.

Senate Passes Controversial Cybersecurity Measure

The Cybersecurity Information Sharing Act grants businesses liability protection in exchange for sharing cyberthreat information with the government.

GettyImages-475638994crop
GettyImages-475638994crop

Amid intense opposition from privacy advocates and skepticism from experts about its security dividends, the U.S. Senate easily passed a bill Tuesday designed to bolster American defenses against a cyber attack and which grants U.S. corporations liability protection in exchange for sharing cyber threat information with the government.

Approved by a vote of 74 to 21, the Cybersecurity Information Sharing Act aims to improve information sharing between the private sector and the government about cyberattacks. Armed with data such as snippets of malicious code used in attacks, IP addresses from which they originate, and the computer ports they exploit, the government and U.S. corporations hope to be better able to combat and prevent computer attacks.

But privacy advocates have denounced the bill as a surveillance bill in a disguise. That’s because CISA creates a data pipeline from the private sector to the Department of Homeland Security, which is empowered to distribute that information to other arms of the government, including the NSA and CIA.

Amid intense opposition from privacy advocates and skepticism from experts about its security dividends, the U.S. Senate easily passed a bill Tuesday designed to bolster American defenses against a cyber attack and which grants U.S. corporations liability protection in exchange for sharing cyber threat information with the government.

Approved by a vote of 74 to 21, the Cybersecurity Information Sharing Act aims to improve information sharing between the private sector and the government about cyberattacks. Armed with data such as snippets of malicious code used in attacks, IP addresses from which they originate, and the computer ports they exploit, the government and U.S. corporations hope to be better able to combat and prevent computer attacks.

But privacy advocates have denounced the bill as a surveillance bill in a disguise. That’s because CISA creates a data pipeline from the private sector to the Department of Homeland Security, which is empowered to distribute that information to other arms of the government, including the NSA and CIA.

Passage in the Senate was a key milestone; the House has already passed similar legislation, and the White House has signalled its support for the measure, meaning that it will likely become law.

In a flurry of votes Tuesday, the Senate rejected a series of amendments advanced by civil liberties advocates to improve CISA’s privacy protections. Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), the chairman and ranking member of the Senate Intelligence Committee, respectively, had urged their colleagues to reject any such amendments in a bid to maintain what they have described as the bill’s delicate balance between privacy and corporate protections.  

Sen. Ron Wyden (D-Ore.), the Senate’s most outspoken privacy advocate and a member of the Intelligence Committee, has in recent weeks carried out a relentless, if ultimately quixotic, campaign to either defeat or amend the measure. Tuesday’s votes mark a bitter defeat for Wyden and privacy groups, who have vocally campaigned against the measure. NSA whistleblower Edward Snowden repeatedly tweeted his opposition to the measure Tuesday.

“Instead of heeding the loud warnings of security experts, tech industry leaders, and civil society that CISA will harm privacy and security, the Senate has opted to move forward on this dangerously broad bill,” said Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute. “Cyber threats are of serious concern and are deserving of serious solutions, but passage of CISA is disappointing because it takes us further down the wrong road for cybersecurity.”

Computer security experts are nearly unanimous in arguing that CISA, and in particular its information-sharing conduit, would do little to prevent the kind of major breaches that have grabbed headlines. Security experts say, for example, that information sharing would not have prevented the hack at the Office of Personnel Management, which exposed the personal information of 21.5 million current, former, and prospective federal employees to Chinese hackers.

Nonetheless, such high profile attacks, including another on health insurer Anthem, have created a political groundswell on the Hill. A group of prominent computer science professors and researchers derided the bill as a “‘let’s do something’ law” in a letter sent to senators Monday.

But CISA does have one big group of backers: American businesses. Tuesday’s vote is a major victory for the U.S. Chamber of Commerce and the Financial Services Roundtable, two industry groups that have engaged in a high-profile lobbying campaign to push the measure across the finish line.

Under current law, companies already share information about cyber attacks with the federal government and within industry groups. Yet some firms remain nervous about doing so, afraid that data sharing may expose them to legal action from customers who allege mishandling of private information. Extending liability protections may be one way to expand such information sharing. Even if the bill fails to stem cyber attacks, garnering protection against what industry lobbyists call “frivolous lawsuits” over information shared with the government has become a key goal for business groups.

In the recent debate over the bill, Burr and Feinstein cited the measure’s widespread support among the business community, but in the last two weeks a slew of prominent technology companies, including Apple and Twitter, have come out against the measure, saying they fear the bill will compromise their users’ privacy rights.

The bill now heads to the House, where it will have to be reconciled with similar but slightly different cybersecurity legislation that has already passed there.

Win McNamee/Getty Images

Twitter: @EliasGroll

More from Foreign Policy

Vladimir Putin speaks during the Preliminary Draw of the 2018 FIFA World Cup in Russia at The Konstantin Palace on July 25, 2015 in Saint Petersburg, Russia.
Vladimir Putin speaks during the Preliminary Draw of the 2018 FIFA World Cup in Russia at The Konstantin Palace on July 25, 2015 in Saint Petersburg, Russia.

What Putin Got Right

The Russian president got many things wrong about invading Ukraine—but not everything.

Dmitry Medvedev (center in the group of officials), an ally of Russian President Vladimir Putin who is now deputy chairman of the country's security council, visits the Omsktransmash (Omsk transport machine factory) in the southern Siberian city of Omsk.
Dmitry Medvedev (center in the group of officials), an ally of Russian President Vladimir Putin who is now deputy chairman of the country's security council, visits the Omsktransmash (Omsk transport machine factory) in the southern Siberian city of Omsk.

Russia Has Already Lost in the Long Run

Even if Moscow holds onto territory, the war has wrecked its future.

Sri Lankan construction workers along a road in Colombo.
Sri Lankan construction workers along a road in Colombo.

China’s Belt and Road to Nowhere

Xi Jinping’s signature foreign policy is a “shadow of its former self.”

Dalton speaks while sitting at a table alongside other U.S. officials.
Dalton speaks while sitting at a table alongside other U.S. officials.

The U.S. Overreacted to the Chinese Spy Balloon. That Scares Me.

So unused to being challenged, the United States has become so filled with anxiety over China that sober responses are becoming nearly impossible.