Senate Passes Controversial CISA Bill Letting Companies Share Cybersecurity Information With Government

09_03_CyberSecurity_01
The controversial Cybersecurity Information Sharing Act passed in the Senate Tuesday afternoon. Kacper Pempel/Reuters

The controversial Cybersecurity Information Sharing Act (CISA), which sat dormant for months waiting for consideration, passed 74-21 in the Senate Tuesday afternoon. The bill aims to improve the nation’s cybersecurity by allowing the U.S. government and the private sector to share cyberthreat information.

Proponents of the legislation say that by permitting the sharing of information, CISA would help the government coordinate with private companies to improve their cyberattack responses. And the time is ripe, supporters say, as it follows a series of high-profile cyberattacks, including the massive breach of the federal Office of Personnel Management (OPM) systems earlier this year.

But many security experts attribute the OPM hack to poor government protections, which CISA wouldn’t address. Instead, critics such as the Electronic Frontier Foundation and the American Civil Liberties Union liken the bill to surveillance in disguise, potentially placing even more of Americans’ personal information in the hands of government, and potentially at risk.

Senator Dianne Feinstein (D-Calif.) and Senator Richard Burr (R-N.C.), an unlikely pair, co-sponsored the bill, which also has the White House’s support. The opposition is composed of rare allegiances as well, including tech giants like Facebook and privacy, security and transparency activists, who are often at odds with one another. The Department of Homeland Security, which companies would send information to before it is disseminated to other agencies, came out strongly against CISA, saying in August that it could “sweep away important privacy protections.”

Some critics of the bill, like Senator Ron Wyden (D-Ore.), advocated a series of amendments to make CISA more palatable. Wyden introduced an amendment that would have placed stricter requirements on companies to remove consumers’ personal information before sharing data with government agencies. But like other amendments meant to soften the bill, it was defeated.

Feinstein argued that information sharing by companies is voluntary under the bill and is restricted to cybersecurity-related information.

Senator Al Franken (D-Minn.) offered an amendment that would have clarified the definitions of “cybersecurity threat” and “cyberthreat indicator” included in the bill, which critics felt were overly broad and opened the door to other, unrelated information being shared. It was also shot down.

An amendment by Senator Patrick Leahy (D-Vt.) would have removed a provision in the bill weakening the Freedom of Information Act (FOIA), which gives people the right to access information from the federal government. Under the “most transparent administration,” CISA enacts a new exemption for the government to use as reason for not releasing information.

Lawmakers in favor of CISA argued during preliminary debates that the amendments, particularly the one removing the FOIA exemption, would serve to discourage companies from collaborating with the government. But the existing exemptions, Leahy argues, adequately cover cyber-related information that the government does not want to release to the public. The companies that share information would also enjoy legal liability protections under CISA.

Though the legislation has now passed the Senate, lawmakers still must reconcile the Senate’s version with the House’s, which passed in April. Then it is up to President Barack Obama to sign the bill into law.