SPONSORED:

Controversial cyber bill clears first Senate hurdle

Controversial cyber bill clears first Senate hurdle
© Getty Images

A long-stalled cybersecurity bill cleared its first procedural hurdle in the Senate on Thursday.

The Senate voted 83-14 to end debate on a major package of amendments to the Cybersecurity Information Sharing Act (CISA), which gives companies incentives to share cyber threat data with the government. 

ADVERTISEMENT

The bill still faces a number of other procedural votes — and likely more days of debate — before it gets to a final vote, but Thursday’s vote was the first serious step forward for CISA after months of false starts. 

"We have been at this for six years," said Sen. Dianne FeinsteinDianne Emiel FeinsteinMurkowski predicts Barrett won't overturn Roe v. Wade Democrats to boycott committee vote on Amy Coney Barrett's Supreme Court nomination The Senate should evoke RBG in its confirmation of Amy Coney Barrett MORE (D-Calif.), a CISA co-sponsor, just before the vote. "This is the third bill. We have been bipartisan."

The manager’s amendment, from Feinstein and CISA co-sponsor Sen. Richard BurrRichard Mauze BurrAs Trump downplayed the virus publicly, memo based on private briefings sparked stock sell-offs: NYT Hillicon Valley: Subpoenas for Facebook, Google and Twitter on the cards | Wray rebuffs mail-in voting conspiracies | Reps. raise mass surveillance concerns Bipartisan representatives demand answers on expired surveillance programs MORE (R-N.C.), is meant to mitigate some of the privacy and surveillance fears that have kept CISA off the Senate floor for so long.

The package is expected to be adopted by the Senate.

“It makes important changes to the bill,” Feinstein said on the floor Wednesday, “to address privacy concerns about the legislation.”

While many industry groups, a bipartisan coalition of lawmakers and even the White House have backed CISA as a necessary first step to better understanding and repelling hackers, privacy advocates and an increasing number of tech companies have argued the bill would simply shuttle Americans’ personal data to the government without actually strengthening cyber defenses.

The Burr-Feinstein amendment is meant to assuage worries that Feinstein’s colleagues expressed as CISA moved through the upper chamber.

Various provisions within the amendment restrict the data that companies can share with the government, eliminate controversial government uses of that data and set up a more robust government scrub of any personal information it accidentally receives, Feinstein explained.

The clauses are a combination of six edits from Burr and Feinstein and portions of 14 amendments from other lawmakers that have been tacked on since August.

Before the August recess, Senate leaders agreed to consider at least 22 amendments on CISA, including the Burr-Feinstein package. The duo was able to get eight of those amendments rolled into their manager’s package, in addition to six proposals from other senators.

The edits likely helped CISA gain the support of key Democrats, including Sen. Tom CarperThomas (Tom) Richard CarperOVERNIGHT ENERGY: Democrats allege EPA plans to withhold funding from 'anarchist' cities | Montana asks court to throw out major public lands decisions after ousting BLM director | It's unknown if fee reductions given to oil producers prevented shutdowns Democrats allege EPA plans to withhold funding from 'anarchist' cities Energy innovation bill can deliver jobs and climate progress MORE (D-Del.), the ranking member of the Senate Homeland Security and Governmental Affairs Committee, who was backing a competing cyber bill earlier this year.

The package, he said on Wednesday, makes CISA a “significantly smarter and stronger bill.”

Carper had two amendments added to the manager's package in recent weeks. Notably, one would establish a filter at the Department of Homeland Security to scrub any personal information such as Social Security numbers before cyber threat data is shared government-wide.

“The [manager’s] amendment we are debating today makes a number of improvements to the bill that was first made public after the Intelligence Committee reported it out,” he said. “It also includes several changes that I, as well as several of my colleagues, have been calling for.”

But the package hasn’t won over civil liberties groups and leading CISA critic Sen. Ron WydenRonald (Ron) Lee WydenPlaintiff and defendant from Obergefell v. Hodges unite to oppose Barrett's confirmation Senate Democrats call for ramped up Capitol coronavirus testing House Democrats slam FCC chairman over 'blatant attempt to help' Trump MORE (D-Ore.).

Wyden was joined in his no vote by a cohort of privacy-minded senators, including Sens. Al FrankenAlan (Al) Stuart FrankenTina Smith and Jason Lewis tied in Minnesota Ted Cruz mocks Al Franken over 'I Hate Ted Cruz Pint Glass' GOP Senate candidate says Trump, Republicans will surprise in Minnesota MORE (D-Minn.), Patrick LeahyPatrick Joseph LeahySchumer says he had 'serious talk' with Feinstein, declines to comment on Judiciary role Durbin says he will run for No. 2 spot if Dems win Senate majority Democrats seem unlikely to move against Feinstein MORE (D-Vt.) and Bernie SandersBernie SandersIntercept bureau chief says congressional progressives looking to become stronger force in 2021 Obama book excerpt: 'Hard to deny my overconfidence' during early health care discussions Americans have a choice: Socialized medicine or health care freedom MORE (I-Vt.), who is running for president.

Wyden took to the floor Wednesday to warn that the Burr-Feinstein amendment only requires companies to “remove any information that the company knows is personal information unrelated to a cybersecurity threat.”

“This language, in my view, clearly creates an incentive for companies to dump large quantities of data over to the government with only a cursory review,” he added. “This bill says, with respect to personal data, when in doubt, you can hand it over.”

Wyden will push for the Senate to approve alternative language that he believes would set a higher bar for businesses.

His changes would require a firm to “remove, to the extent feasible, any personal information ... that is not necessary to describe or identify a cybersecurity threat.”

“The alternative that I am offering gives companies a real responsibility to filter out unrelated personal information before that company hands over large volumes of personal data about customers or people to the government,” he said.