The Senate on Tuesday passed a cybersecurity bill that would give companies legal immunity for sharing data with the federal government, over the protests of some lawmakers and consumer advocates who say that the legislation does not adequately protect Americans’ privacy.
The Cybersecurity Information Sharing Act, or CISA, must now be reconciled with legislation passed earlier this year by the House of Representatives.
The Obama administration and lawmakers in both parties have been seeking for years to enact information-sharing legislation, and it now seems likely to become law.
The 74 to 21 vote comes as digital attacks against private industry and the government alike put pressure on lawmakers to address information security.
“For me this has been a six year effort … and it hasn’t been easy because what we tried to do was strike a balance and make the bill understandable so that there would be a cooperative effort to share between companies and with the government,” Sen. Dianne Feinstein (D-Calif.), vice-chairman of the Intelligence Committee and a co-author of the bill, said on the Senate floor.
But privacy activists argue the bill generally lacks robust privacy protections. They expressed concerns with provisions that allow the Department of Homeland Security to share information gathered as part of the program with other government agencies — effectively turning the legislation into a backdoor surveillance bill that benefits the intelligence community, critics allege.
The White House expressed qualified support for the legislation in a statement last week, indicating that it would work to make improvements to the bill in the reconciliation process with the House legislation.
Supporters of the legislation argue that the government could better help private companies secure their systems if it has more information about the threats they face. But companies have been reluctant to do so out of fears of running afoul of privacy regulations, proponents say.
“It clears away the uncertainty and concerns that keep companies from sharing this information,” Feinstein said.
CISA would set up a hub for voluntary information managed by DHS: When a company discovers suspicious activity on their systems, it would give information about the attack to the government which then would warn other companies.
In theory, the information shared would be limited to so-called “threat indicators” — data like technical information about the type of malware used or ways that the attacker covered their tracks while sneaking through systems.
The Senate rejected amendments from Sens. Ron Wyden (D-Ore.) and Dean Heller (R-Nev.) that would require more stringent reviews by companies to remove personal information before sharing data with the government, as well as other amendments aimed at removing restrictions on Freedom of Information Requests over data shared under the program and and tightening the definition of “threat indicators.” It also rejected an amendment that would have extended liability protections to companies that shared cyber threat information with the FBI and the Secret Service.
The Senate did pass a manager’s amendment package from Feinstein and Sen. Richard Burr (R-N.C.) that made some changes to appease privacy advocates.
But critics have warned that the bill, combined with surveillance programs revealed by former National Security Agency contractor Edward Snowden, could give intelligence agencies more leeway to collect “upstream data” from the Internet backbone.
Many civil liberties groups campaigned aggressively against the legislation, with one campaign sending a massive number of faxes opposing the bill to congressional offices and pressuring tech companies to take a public stand against CISA.
Some tech giants came out against the bill, including Apple, which has aggressively positioned itself on privacy issues. “We don’t support the current CISA proposal,” the company said in a statement last week. “The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.”
Major tech trade groups, including the Computer & Communications Industry Association, have also come out against the legislation.
But other tech companies have endorsed CISA, including IBM. “Sharing technical details on the latest digital threats is critical to strengthening America’s cyberdefenses. Online criminals actively share information to penetrate networks, steal vital economic and national security data, and compromise the personal information of millions of Americans,” Timothy J. Sheehy, vice president for technology policy at IBM’s government and regulatory affairs office, said in a statement after the Senate vote.
In the final days before the vote, digital activists at Fight for the Future accused Facebook of quietly lobbying for the bill. A Facebook spokesperson denied the claim, saying that the company does not have a position on CISA.
Facebook, itself, runs a private system for sharing cyber threat indicators known as Threat Exchange, which some 130 companies currently use. Other industries, including the financial sector, run similar organizations among themselves — and the government already has some mechanisms set up to help share cyberthreat intelligence, although not at the scale envisioned by CISA.
Earlier this week, a group of academics and security experts expressed concern over the bill, saying it would “do little, if anything, to address the very real problem of flawed cybersecurity while creating conditions ripe for abuse.”
But advocates of the bill heralded its Senate passage as a step forward for cybersecurity.
“This landmark bill finally better secures Americans private information from foreign hackers,” said Burr in a statement after the bill’s passage. “American businesses and government agencies face cyber-attacks on a daily basis. We cannot sit idle while foreign agents and criminal gangs continue to steal Americans’ personal information as we saw in the Office of Personnel Management, Target, and Sony hacks.”
Staff Writer Ellen Nakashima contributed to this report
This article was written by Andrea Peterson from The Washington Post and was legally licensed through the NewsCred publisher network.
Online Degrees & Certificates In Cybersecurity
American Military University's online cybersecurity programs integrate multiple disciplines to ensure you gain the critical skills and management practices needed to effectively lead cybersecurity missions – from government or private industry. Learn from the leader. American Military University is part of American Public University System, which has been designated by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education.