Passage of the bill, dubbed the Cybersecurity Information Sharing Act (CISA), is a disappointing defeat for civil-liberties groups and major tech companies that had urged lawmakers to strengthen its privacy protections while arguing that the bill will do little to bolster firms’ cybersecurity. CISA proponents say the bill is a necessary step toward combating cyber threats.
The 74-21 vote on CISA, which directs the Department of Homeland Security to establish a portal for receiving and distributing cyber-threat data from businesses, was not a surprise. The bill sailed through a preliminary vote last week. Powerful business groups like the U.S. Chamber of Commerce supported it, encouraged by the provision giving companies immunity from lawsuits stemming from their sharing of threat data.
“Today’s vote is simply an early, flawed step in what is sure to be a long debate over how the U.S. can best defend itself against cyber threats.”
The bill contains a provision requiring companies to strip out customers’ personal information from any data they transmit to DHS, but privacy activists have warned that the precise language—which emphasizes removing information definitively known to be irrelevant to the particular cyber threat—will let Americans’ private details slip through the process.
Another privacy provision, which directs DHS to coordinate its own process “scrubbing” personal information, contains a major loophole. It would give any one of the major agencies using the portal, which include the FBI and the NSA, the ability to override the scrubbing process and access the raw data.
These privacy concerns, coupled with the immunity clause that incentivizes the sharing in the first place, led the Electronic Frontier Foundation, the nation’s leading digital civil-liberties group, to call CISA “a surveillance bill in disguise.” EFF and a broad coalition of privacy groups launched the Stop Cyber Surveillance campaign to kill CISA.
An unnamed former senior U.S. official seemed to confirm these fears when he told CNNMoney on Monday that CISA would ”give our spy agencies greater visibility” and said that that was “the point” of the bill.
Security experts, cybersecurity professors, and Silicon Valley giants also joined the fight against CISA. Tech companies stressed privacy concerns, while IT professionals argued that information sharing would not have prevented any of the major cyberattacks that CISA’s supporters frequently held up as evidence of the threat. Among those attacks were the Office of Personnel Management data breach, which exposed the records of some 22 million federal workers, and the Sony Pictures Entertainment hack, which publicly and dramatically spilled the studio’s secrets and prompted the nearly unprecedented cancellation of a major motion picture release at Christmastime.
“The bill passed by the Senate today—if enacted into law—would still do almost nothing to improve cybersecurity while undermining the rights of potentially hundreds of millions of people,” Nathan White, senior legislative manager at the civil-liberties group Access, said in a statement.
Greg Nojeim, director of the Center for Democracy and Technology’s Freedom, Security, and Technology Project, called CISA’s passage “a big step backward for privacy.”
“More personal information will be shared with the NSA and with law enforcement agencies and will be turned to purposes other than cybersecurity,” Nojeim said in an email. “Instead of using a scalpel to clear a path through laws that inhibit needed information sharing, Congress slashed at those laws with a machete—with uncertain result.”
Sen. Ron Wyden (D-Ore.), CISA’s leading congressional opponent, introduced an amendment to tweak the privacy language so that companies could only share information that they definitively knew to be relevant to the particular threat, thus raising the threshold for what could be shared. But the Senate rejected that amendment during a day-long session of CISA-related votes.
“The fight to secure Americans’ private, personal data has just begun,” Wyden said in a statement. “Today’s vote is simply an early, flawed step in what is sure to be a long debate over how the U.S. can best defend itself against cyber threats.”
In the morning session, senators also defeated an amendment from Sen. Dean Heller (R-Nev.) that would have changed the personal-information-scrubbing provision to require the government to do more to remove such information; an amendment from Sen. Patrick Leahy (D-Vt.) to remove the bill’s FOIA exemptions; and an amendment from Sen. Al Franken (D-Minn.) to strictly define the terms “cybersecurity threat” and “cyber threat indicator.”
After returning from mid-day weekly conference meetings, the Senate rejected an amendment from Sen. Chris Coons (D-Del.) to strengthen the data-scrubbing process that the government undertakes after receiving data. The current version of that process permits the head of any federal agency participating in the DHS portal to veto data scrubbing altogether.
Then, before three final votes on the bill itself, senators defeated an amendment from Sen. Tom Cotton (R-Ark.) that would have let businesses send cyber threat data to the FBI and the Secret Service instead of to the DHS portal. That amendment was controversial even among many of CISA’s supporters, who argued that it would undercut the data-sharing centralization at the core of the bill. Retailers, which already deal with the FBI and the Secret Service, had supported the change.
The Information Technology Industry Council, a major technology trade group, praised the Senate for passing CISA. Dean Garfield, the group’s president, said in a statement that the bill represented “an important step” in the broader push for resilient cyberdefense.
“More personal information will be shared with the NSA and with law enforcement agencies and will be turned to purposes other than cybersecurity.”
CISA’s cosponsors incorporated Sen. Jeff Flake (R-Ariz.)’s amendment setting an expiration date for the legislation after reaching an agreement with Flake to change the timetable from six years to 10 years. They also quietly stripped out two provisions that required reports on critical infrastructure cybersecurity and impediments to government use of strong security tools.
Because CISA’s amendments made substantive changes to the bill, Senate and House staff members must now meet to iron out the differences between it and its House counterparts. Those two bills, the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPAA), both passed the House with more than 300 votes. A House aide told Politico that final conference passage should come before the end of year.
Update 4:34pm CT, Oct. 27: Added statements.
Illustration by Max Fleishman