The bipartisan co-sponsors of a major cybersecurity bill reached a preliminary deal on amendments that could help speed the measure through the Senate before August recess.
Sens. Richard BurrRichard BurrTop Intel Dem: Congress 'far from consensus' on encryption Trump must be an advocate for the Small Business Administration Dems pledge to fight Sessions nomination MORE (R-N.C.) and Dianne FeinsteinDianne FeinsteinMika Brzezinski: Clinton camp wanted me off the air White House orders intelligence report of election cyberattacks Feinstein after dinner with Clinton: She has 'accepted' her loss MORE (D-Calif.), the top two lawmakers on the Senate Intelligence Committee, are backing the Cybersecurity Information Sharing Act (CISA). Their bill would boost the exchange of data on hackers between companies and the government.
In response, privacy-minded senators, led by Sens. Ron Wyden (D-Ore.) and Patrick Leahy (D-Vt.), have been angling to significantly alter the bill.
But Burr and Feinstein on Friday started circulating a managers’ amendment, obtained by The Hill, that would address some — but not all — of the privacy concerns that have stalled the bill since March.
The deal could help usher CISA through the upper chamber in the last moments before the Senate breaks for a month.
Senate Majority Leader Mitch McConnell (R-Ky.) last week vowed to act on CISA before leaving town. But even the bill’s supporters have expressed doubt that lawmakers have enough floor time to wade through all the desired amendments, absent a major deal that limits the add-ons that could be offered.
Multiple Senate offices, including Feinstein’s, confirmed the document's authenticity. But several aides cautioned that the text was not necessarily final and that it didn’t indicate a broader deal had been struck on all desired changes.
Still, the managers’ amendment could be a first step toward that broader deal. Several Senate offices hoping to change CISA indicated the pact was a positive sign, even if it falls short of what they ultimately want.
The changes would restrict how the government can share and use the data it would collect under CISA.
Civil liberties groups and technologists argue the current bill would allow the National Security Agency (NSA) to use CISA data to snoop on people for numerous reasons unrelated to cyber crime.
The amendment would strike “serious violent felonies” from the list of approved uses in an attempt to mitigate that fear.
It would also add clarifying language to ensure information collected through CISA could only be shared within the government for “cybersecurity purposes.”
CISA contains provisions requiring “real-time” sharing once an agency has received cyber threat data. Privacy advocates have chafed at this portion of the bill.
“This is a very significant privacy change, and it has been another top bipartisan and privacy group concern,” said a summary of the amendment being circulated.
The amendment also directly addresses one of Leahy’s top worries: that private sector information shared would be exempt from Freedom of Information Act (FOIA) requirements.
The CISA edit “eliminates the creation of a new exemption in the Freedom of Information Act specific to cyber information,” the summary said.
Still, the language fails to address some of the major issues driving opposition to the bill.
It would not, for example, eliminate all direct sharing between the private sector and government intelligence agencies.
This has been a sticking point for the White House, which has long argued all data swaps should go through the Department of Homeland Security (DHS). The administration and privacy advocates believe the DHS, as a civilian agency, is best-suited to scrub personal data and control the flow of cyber threat information within the government.
The managers’ amendment only “clarifies the types of cyber information sharing that are permitted to occur outside the ‘DHS portal’ created by the bill,” according to the summary.
Sen. Mark Warner (D-Va.) is also hoping to attach language that would give the Department of Homeland Security (DHS) more authority related to cybersecurity. The amendment does not touch on his efforts.
Access, a digital privacy group that has been working with Wyden to stall the bill, said the Burr-Feinstein agreement won’t bring privacy advocates around.
“Changes under the managers' amendment won't stop the government from instantly passing along information to intelligence agencies,” said Nathan White, Access senior legislative manager. “Law enforcement can still use information to prosecute whistleblowers under the Espionage Act.”
Norma Krayem, a lobbyist who has been involved in the recent CISA debates, thinks the Senate still has a ways to go.
“The tipping point on proceeding on cybersecurity could actually come from the administration supporting action in the Senate,” explained Krayem, who co-chairs the Data Protection and Cybersecurity division at law firm Holland & Knight.
“However, it still depends on three basic factors: Whether or not substantial changes are made in the underlying bill, if a sufficient amount of amendments are allowed to address privacy concerns, and ultimately, are there 60 votes to move forward?" she added. "It’s like the ‘known unknowns.’ ”