Senate passes first major cyber bill in years

Francis Rivera

The Senate on Tuesday passed a major piece of cybersecurity legislation intended to stem the flood of cyberattacks on both government agencies and private companies.

The so-called Cybersecurity Information Sharing Act (CISA), a piece of legislation years in the making, passed 74-21. 

The House approved companion legislation in April, so the cybersecurity measure is now on track to reach President Obama’s desk and be signed into law, once a conference report is negotiated.

As the Senate closed in on approving CISA, Majority Leader Mitch McConnellMitch McConnellCures bill in jeopardy amid drug pricing push Senate Democratic super PAC sets fundraising record Five takeaways from Florida Senate debate MORE (R-Ky.) called the bill "key to defeating cyberattacks and protecting the personal information of the people we represent."

CISA attempts to open up communication channels between industry and federal agencies by offering legal immunity to companies that share data with the government. Many industry groups have argued this back-and-forth is necessary to better understand and stymie overseas hackers.

Sen. Dianne FeinsteinDianne FeinsteinEverything you need to know about the National Guard's bonus controversy Lawmakers praise bonus-clawback suspension, pledge permanent fix Defense chief pledges to 'resolve' bonus clawback issue MORE (D-Calif.), who co-sponsored the bill with Sen. Richard BurrRichard BurrGOP, Burr challenger trade fire over sexual assault in TV ads GOP vulnerables dial back Hillary attacks Warren’s power on the rise MORE (R-N.C.), expressed relief on the Senate floor as her bill finally appeared bound for passage.

"For me this has been a six-year effort, and it hasn’t been easy," she said.

"This is kind of a new day," Feinstein concluded later, as the chamber moved to a final vote. "A way to pass a complicated, somewhat technical bill."  

CISA has been through several failed iterations over the last few Congresses, only gaining traction after the mammoth hacks on the Office of Personnel Management (OPM) this spring.

Supporters of the measure have spent months negotiating privacy issues raised by the legislation.

The bill faced fierce opposition from privacy advocates who painted it as a “surveillance bill” that would funnel more sensitive information to the government.

Other critics have expressed concerns that the bill would do nothing to prevent the kind of hacks — like the OPM breach — that were used to justify its passage.

"Increasingly, when Congress just reacts to a technology issue which is all over the news, instead of getting the win-win — which is more security and more liberty — Congress ends up with a policy that really doesn’t deliver on either count," leading CISA critic Sen. Ron WydenRon WydenLawmakers question new DOJ hacking rule Overnight Healthcare: How GOP could help fix ObamaCare | Cures bill in jeopardy | Senators unveil Medicare reforms Senators unveil bipartisan Medicare reforms MORE (D-Ore.) told The Hill as it became apparent the bill would clear the Senate.

The Senate worked throughout the day on a series of amendments, many of which attempted to stem privacy concerns.

Wyden and his privacy-focused cohort made a last-ditch attempt to inject changes favored by the civil liberties and digital rights community.

While the group struck out in each of its five attempts, several of the amendments received more votes than anticipated. Wyden spun the better-than-expected support from both sides of the aisle as a positive.

"I was pleased that in the home stretch, visible, active support came from all across the political spectrum," he said. "We'll just keep building."

The Oregon Democrat committed to continuing his crusade as the Senate bill is merged with the House offering.

"My sense is we’ve still got a conference, we’ve got a long debate ahead of us," he told The Hill.

Several smaller privacy edits did make it into the bill via a manager’s package from Burr and Feinstein, CISA's co-sponsors. The package pulled together nearly two dozen edits and amendments from various lawmakers, the product of several months of negotiations.

The amendment passed by voice vote.

The set of tweaks aims to address a number of the key concerns with how the bill affects digital privacy, including limiting the type of data that can be shared under the bill and clarifying the Department of Homeland Security’s (DHS) role as the primary intake valve for cyber threat data.

As a civilian agency with a major cybersecurity role, DHS is seen as having the most effective privacy oversight mechanisms to review data received under CISA.

Funnelling data through the DHS ensures it will "receive an additional scrub to remove any residual personal information," Feinstein said Tuesday.

In this spirit, lawmakers blocked a contentious addition from Sen. Tom CottonTom CottonCotton not ruling out 2020 White House bid GOP senators avoid Trump questions on rigged election GOP chairman demands number of immigrants granted accidental citizenship MORE (R-Ark.) that would have facilitated a direct transfer of cyber threat data between businesses and the FBI and Secret Service.

Despite the back-and-forth over numerous amendments, the final measure passed easily, with the broad bipartisan support that the bill's co-sponsors touted throughout debate. 

The bill now heads to a conference with the House, where staffers will work to combine CISA with the two companion bills passed by the House in April.

The process is expected to require “some serious negotiations,” according to one former House cybersecurity staffer. There are some critical discrepancies between the three bills, namely in the leeway they give companies to share data with agencies other than the DHS. 

Shifting House leadership and the technical nature of the bill will also slow down the timeline, Burr told reporters minutes after CISA passed.

"You saw how difficult it was and how technical this can be," he said.

Digital rights groups are not giving up either, vowing to continue pressing lawmakers to include the most stringent privacy mechanisms from each bill into the final law.

"We're going to move at a very slow pace," Burr added, predicting the two chambers wouldn't resolve their differences before the new year. 

Once the bill is enacted, there are also lingering questions over how many companies will participate. The advocacy group Fight for the Future has said it will try to obtain pledges from companies not to share data under CISA.

“[CISA] flies in the face of where most people are at on this, including the tech industry,” said Tiffiniy Cheng, co-director of Fight for the Future, an advocacy group fighting CISA.

During their final pitches for the bill, Burr and Feinstein emphasized that the program will be entirely voluntary.

"Nobody is mandated to do it," Burr insisted. "So I speak specifically to those companies right now. You might not like the legislation, but for goodness’ sake, do not deprive every other business in America from having the opportunity to have this partnership.”

Facebook, which operates its own threat-sharing forum to which it has not invited the government, has indicated it is unlikely to participate in CISA.

But the simple fact that Congress even got the bill through both chambers has amazed many observers.

"It’s a notable moment that the issue has come this far," said Norma Krayem, a tech-focused lobbyist who co-chairs the Data Protection and Cybersecurity division at law firm Holland & Knight. "Two weeks ago, no one I talked to believed me when I said the bill would come to the floor.”