The Senate is moving toward passage of landmark cybersecurity legislation this week that will cap a six-year process — or ordeal — to get a major cyberbill through the chamber.
A vote on passage of the Cybersecurity Information Sharing Act is expected as early as Tuesday, after the Senate approves a package of refinements by Intelligence Chairman Richard Burr, R-N.C., and ranking member Dianne Feinstein, D-Calif., and mows down a list of amendments that the sponsors call “poison pills.”
The first of those amendments, a proposal by Sen. Rand Paul, R-Ky., to potentially limit industry’s liability protections, fell on a 32-65 vote last week.
Burr warned his colleagues that amendments like Paul’s might be “enticing,” but would upend the “delicate balance” that sponsors struck on privacy and security issues. If Congress can’t act on this kind of voluntary approach to cybersecurity, Burr said, the alternative likely would be mandatory, government-imposed standards.The wide margin of victory on the Paul amendment suggests Burr’s message resonates with his colleagues, and that the handful of additional amendments will be easily defeated. Perhaps most problematic is a proposal by Sen. Jeff Flake, R-Ariz., to “sunset” the new information-sharing law after six years. The House added a seven-year sunset to its version of the info-sharing legislation during floor debate last spring. The House and Senate versions will have to be reconciled in negotiations this fall.
Industry groups say the sunset would inhibit companies from investing in the information-sharing process, but it would not affect the underlying workings of the legislation.
Proposals by Sens. Ron Wyden, D-Ore., Dean Heller, R-Nev., Al Franken, D-Minn., Chris Coons, D-Del., and Patrick Leahy, D-Vt., would do just that by adding new requirements on removing personal information and tightening the definition of what can actually be shared as a “cyberthreat indicator,” for example.
Their amendments are strongly opposed by the sponsors and industry.
Another amendment by Sen. Tom Cotton, R-Ark., allowing direct sharing between industry and the FBI and Secret Service, enjoys industry support but will be opposed by the sponsors.
The Cotton measure is vehemently opposed by online privacy advocates, who will not support CISA in any case, but the managers are committed to opposing anything that disrupts the basic tenets of their legislation.
In this case, the Cotton proposal flies in the face of Burr and Feinstein’s commitment to limit liability protection to information shared through a Department of Homeland Security-run “portal” that builds in privacy protections.
Burr and Feinstein incorporated a proposal by Sen. Tom Carper, D-Del., to allow the Department of Homeland Security to perform an automated “scrub” of incoming threat data. The legislation further requires companies themselves to remove such data before sending information to the government.
The DHS scrub is designed as one safety check to ensure such information is removed in what supporters say will be rare cases when personal data slips through. Agencies that receive the threat indicators from DHS are also required to perform a scrub.
Wyden and other bill foes have been dismissive of these steps and say the process would actually discourage companies from trying to identify personal information before sharing with government.
“There’s no ‘there’ there,” Wyden said, arguing that the standard to remove data “known at the time of sharing” to include personal information will simply lead companies not to look very hard before shuttling the data to government.
Wyden and other critics last week also tried hammering the point that CISA simply would not have worked to prevent any of the recent cyberbreaches that produced headlines, such as the hack at the Office of Personnel Management that exposed the personal data of 22 million current and former government employees.
That’s right, Burr concurred on the Senate floor, saying CISA “is not a prevention bill — it’s to minimize losses.”
Feinstein weighed in that CISA is a “first step” that hands industry and government desperately sought tools to fight cybercrime, terrorists and even nation-states in cyberspace. While some tech companies have come out against the bill, Feinstein said, “hundreds, thousands” of other companies are urging Congress to pass this info-sharing measure. She pointed to 52 major trade associations that have banded together in a coalition supporting the bill.
But Carper noted that the manager’s amendment now includes a Senate Homeland Security and Governmental Affairs Committee-passed measure that will accelerate deployment of advanced cybersecurity technology across government agencies, arguing the legislation actually will help prevent future attacks.
Deploying the so-called EINSTEIN technology “puts a new player on the field” to block penetrations and is “reason enough” to support CISA.
The Senate is nearing a final vote to send CISA into conference with the House — and get the cyberbill to the president’s desk this year, which would be a significant conclusion to a process that began early in President Obama’s first term.
Senate Republicans in 2012 blocked a major cyberbill that included government mandates on industry. Senate Democrats didn’t allow an info-sharing bill to advance last year. The process has been extremely frustrating for bill supporters, but the end result is likely a bill that will ultimately clear both the House and Senate with overwhelming majorities.
Charlie Mitchell is editor of InsideCybersecurity.com, a premium news service from Inside Washington Publishers.
