More Senate Dems raise privacy concerns with cybersecurity bill

More Democrats are signaling they will try to amend a major cybersecurity bill when it hits the Senate floor in the coming weeks.

In a Senate Intelligence Committee report released over the weekend, Sens. Martin HeinrichMartin Trevor HeinrichSchumer vows to only pass infrastructure package that is 'a strong, bold climate bill' FBI warns lawmakers of violence from QAnon conspiracy theorists Overnight Energy: Company officially nixes Keystone XL pipeline | Government watchdog finds failings, but no Trump influence, in clearing of Lafayette Square MORE (D-N.M.) and Mazie HironoMazie Keiko HironoSenate on collision course over Trump DOJ subpoenas Democrats mull overhaul of sweeping election bill White House gets back to pre-COVID-19 normality MORE (D-Hawaii) said they “continue to harbor concerns” about several privacy provisions in the bill.

The measure, the Cybersecurity Information Sharing Act (CISA), would grant companies liability protections when sharing cyber threat data with the government. It passed out of committee last month by a 14-1 vote.


Sen. Ron WydenRonald (Ron) Lee WydenFive takeaways on the Supreme Court's Obamacare decision Schumer vows to only pass infrastructure package that is 'a strong, bold climate bill' Supreme Court upholds ObamaCare in 7-2 ruling MORE (D-Ore.) — the only dissenting vote in markup — and Sen. Patrick LeahyPatrick Joseph LeahyShelby signals GOP can accept Biden's .5T with more for defense Bipartisan lawmakers want Biden to take tougher action on Nicaragua Biden budget expands government's role in economy MORE (D-Vt.) have expressed serious reservations about the measure, and both have indicated they’ll likely try to enhance it on the floor.

Advocates argue increased threat-sharing creates a better profile of hackers’ tactics, allowing everyone to bolster their defenses. They say companies need liability protections to quell fears of shareholder lawsuits and regulatory action when sharing data with the government.

Privacy groups maintain the bill does not properly restrict the personal information companies could share with government agencies, including ultimately the National Security Agency (NSA).


Heinrich and Hirono echoed those fears in commentary submitted for the report.

“However well intended, the bill’s provisions do not adequately direct companies to remove personally identifiable information when sharing cyber threat indicators with the government,” they said.

Furthermore, they said, “the bill also lacks a directive that the Department of Homeland Security scrub cyber threat indicators for unnecessary personally identifiable information before sharing that information with other areas of the federal government.”

CISA would make the DHS the main entryway for the cyber threat data entering the government.


The move was a concession to privacy advocates who worry about personal data going directly to the NSA.

But privacy groups think that without a proper DHS scrubbing, the sensitive information will still make it to the NSA almost instantaneously.

The bill’s backers disagree. They point to language in the bill that directs both companies and DHS to redact information that is known “at the time of the sharing to be personal information.”

The semantics debate is expected to get settled in the coming weeks, when CISA is expected hit the floor.

“We will look forward to a robust debate on the floor,” the two senators said.