Senate passes first major cyber bill in years

Senate passes first major cyber bill in years
© Francis Rivera

The Senate on Tuesday passed a major piece of cybersecurity legislation intended to stem the flood of cyberattacks on both government agencies and private companies.

The so-called Cybersecurity Information Sharing Act (CISA), a piece of legislation years in the making, passed 74-21. 

The House approved companion legislation in April, so the cybersecurity measure is now on track to reach President Obama’s desk and be signed into law, once a conference report is negotiated.


As the Senate closed in on approving CISA, Majority Leader Mitch McConnellAddison (Mitch) Mitchell McConnellElection Countdown: Takeaways from heated Florida governor's debate | DNC chief pushes back on 'blue wave' talk | Manchin faces progressive backlash | Trump heads to Houston rally | Obama in Las Vegas | Signs of huge midterm turnout Sanders: Democrats ‘absolutely’ have chance to win back rural America  Trump privately ready to blame Ryan and McConnell if Republicans lose midterms: report MORE (R-Ky.) called the bill "key to defeating cyberattacks and protecting the personal information of the people we represent."

CISA attempts to open up communication channels between industry and federal agencies by offering legal immunity to companies that share data with the government. Many industry groups have argued this back-and-forth is necessary to better understand and stymie overseas hackers.

Sen. Dianne FeinsteinDianne Emiel FeinsteinPoll: Feinstein holds 18-point lead over challenger Durbin to Trump: ‘We’re the mob? Give me a break’ Sen. Walter Huddleston was a reminder that immigration used to be a bipartisan issue MORE (D-Calif.), who co-sponsored the bill with Sen. Richard BurrRichard Mauze BurrDems can use subpoena power to reclaim the mantle of populism Collusion judgment looms for key Senate panel The National Trails System is celebrating 50 years today — but what about the next 50 years? MORE (R-N.C.), expressed relief on the Senate floor as her bill finally appeared bound for passage.

"For me this has been a six-year effort, and it hasn’t been easy," she said.

"This is kind of a new day," Feinstein concluded later, as the chamber moved to a final vote. "A way to pass a complicated, somewhat technical bill."  

CISA has been through several failed iterations over the last few Congresses, only gaining traction after the mammoth hacks on the Office of Personnel Management (OPM) this spring.

Supporters of the measure have spent months negotiating privacy issues raised by the legislation.

The bill faced fierce opposition from privacy advocates who painted it as a “surveillance bill” that would funnel more sensitive information to the government.

Other critics have expressed concerns that the bill would do nothing to prevent the kind of hacks — like the OPM breach — that were used to justify its passage.

"Increasingly, when Congress just reacts to a technology issue which is all over the news, instead of getting the win-win — which is more security and more liberty — Congress ends up with a policy that really doesn’t deliver on either count," leading CISA critic Sen. Ron WydenRonald (Ron) Lee WydenOvernight Health Care — Presented by Purdue Pharma — Trump says GOP will support pre-existing condition protections | McConnell defends ObamaCare lawsuit | Dems raise new questions for HHS on child separations Republicans should prepare for Nancy Pelosi to wield the gavel US to open trade talks with Japan, EU, UK MORE (D-Ore.) told The Hill as it became apparent the bill would clear the Senate.

The Senate worked throughout the day on a series of amendments, many of which attempted to stem privacy concerns.

Wyden and his privacy-focused cohort made a last-ditch attempt to inject changes favored by the civil liberties and digital rights community.

While the group struck out in each of its five attempts, several of the amendments received more votes than anticipated. Wyden spun the better-than-expected support from both sides of the aisle as a positive.

"I was pleased that in the home stretch, visible, active support came from all across the political spectrum," he said. "We'll just keep building."

The Oregon Democrat committed to continuing his crusade as the Senate bill is merged with the House offering.

"My sense is we’ve still got a conference, we’ve got a long debate ahead of us," he told The Hill.

Several smaller privacy edits did make it into the bill via a manager’s package from Burr and Feinstein, CISA's co-sponsors. The package pulled together nearly two dozen edits and amendments from various lawmakers, the product of several months of negotiations.

The amendment passed by voice vote.

The set of tweaks aims to address a number of the key concerns with how the bill affects digital privacy, including limiting the type of data that can be shared under the bill and clarifying the Department of Homeland Security’s (DHS) role as the primary intake valve for cyber threat data.

As a civilian agency with a major cybersecurity role, DHS is seen as having the most effective privacy oversight mechanisms to review data received under CISA.

Funnelling data through the DHS ensures it will "receive an additional scrub to remove any residual personal information," Feinstein said Tuesday.

In this spirit, lawmakers blocked a contentious addition from Sen. Tom CottonThomas (Tom) Bryant CottonFlake: Congress should not continue Kavanaugh investigations GOP senator suspects Schumer of being behind release of Ford letter Susan Collins becomes top 2020 target for Dems MORE (R-Ark.) that would have facilitated a direct transfer of cyber threat data between businesses and the FBI and Secret Service.

Despite the back-and-forth over numerous amendments, the final measure passed easily, with the broad bipartisan support that the bill's co-sponsors touted throughout debate. 

The bill now heads to a conference with the House, where staffers will work to combine CISA with the two companion bills passed by the House in April.

The process is expected to require “some serious negotiations,” according to one former House cybersecurity staffer. There are some critical discrepancies between the three bills, namely in the leeway they give companies to share data with agencies other than the DHS. 

Shifting House leadership and the technical nature of the bill will also slow down the timeline, Burr told reporters minutes after CISA passed.

"You saw how difficult it was and how technical this can be," he said.

Digital rights groups are not giving up either, vowing to continue pressing lawmakers to include the most stringent privacy mechanisms from each bill into the final law.

"We're going to move at a very slow pace," Burr added, predicting the two chambers wouldn't resolve their differences before the new year. 

Once the bill is enacted, there are also lingering questions over how many companies will participate. The advocacy group Fight for the Future has said it will try to obtain pledges from companies not to share data under CISA.

“[CISA] flies in the face of where most people are at on this, including the tech industry,” said Tiffiniy Cheng, co-director of Fight for the Future, an advocacy group fighting CISA.

During their final pitches for the bill, Burr and Feinstein emphasized that the program will be entirely voluntary.

"Nobody is mandated to do it," Burr insisted. "So I speak specifically to those companies right now. You might not like the legislation, but for goodness’ sake, do not deprive every other business in America from having the opportunity to have this partnership.”

Facebook, which operates its own threat-sharing forum to which it has not invited the government, has indicated it is unlikely to participate in CISA.

But the simple fact that Congress even got the bill through both chambers has amazed many observers.

"It’s a notable moment that the issue has come this far," said Norma Krayem, a tech-focused lobbyist who co-chairs the Data Protection and Cybersecurity division at law firm Holland & Knight. "Two weeks ago, no one I talked to believed me when I said the bill would come to the floor.”