Before heading out on August recess, Senate is gearing up for a fistfight over legislation that incentivizes the sharing of cyber threat indicators between the private and public sectors.
A motion to proceed on the Cybersecurity Information Sharing Act of 2015 (S.754) is slated for Wednesday morning. On Tuesday, Senate Majority Leader Mitch McConnell (R-Ky.) offered a unanimous consent agreement that would have let the Senate immediately consider the bill in exchange for allowing up to 10 relevant amendments from both parties to be made pending.
However, Senate Minority Leader Harry Reid (D-Nev.) did not take the bait.
“I can’t imagine how he could make this offer with a straight face,” Reid said. “Having amendments pending doesn’t mean anything.”
The Democrats want to pass a cybersecurity bill, he said, but need assurances from GOP leaders that their amendments would be up for a vote.
“We could start that today. Today is Tuesday. We could finish these amendments, I hope, on the Democratic side we could do it in a fairly short order of time,” Reid said.
CISA is the third information-sharing bill to be put before the upper chamber after two failed attempts to pass such legislation in previous years, said Sen. Dianne Feinstein (D-Calif.), the top Democrat on the Senate Intelligence Committee. Feinstein repeatedly characterized CISA as bipartisan, narrowly-focused legislation during her defense of the bill on Tuesday.
“This bill has strong support from the private sector because it creates incentives for improving cyber security and it protects companies that take responsible steps to do so,” she said. “Companies are shielded from lawsuits if they properly use the authorities provided in this bill, and they can be confident that sharing information with other companies or with the government will not subject them to inappropriate regulatory action.
“For these reasons, this bill has the support of over 40 business groups, and it’s the first bill that has the support of the Chamber of Commerce,” Feinstein said.
Feinstein and the sponsor of the bill, Senate Intelligence Committee Chairman Richard Burr (R-N.C.), have been circulating a manager’s amendment that addresses some of the privacy concerns that have cropped up after the legislation passed in committee this March. For instance, the amendment specifies that the government may only use the information it receives for cybersecurity measures.
“I hope the manager’s amendment clarifies that there is no surveillance,” Burr said. “The only thing we’re after is minimizing the loss of data.”
However, privacy advocates have said the package does not go far enough to protect civil liberties.
One of CISA’s biggest opponents, Sen. Ron Wyden (D-Ore.), said the bill would do little in the way of preventing large scale hackings like that of the Office of Personnel and Management (OPM), and does not safeguard the privacy of American citizens. Under the current legislation, companies are not compelled to hand over information to the government, but they can volunteer to share their customers’ personal information without getting the permission of those individuals, he said on the floor.
“It may be voluntary for the companies, but it’s mandatory for their customers and their consumers. They’re not given the opportunity to opt out,” he said. Furthermore, the manager’s amendment does not include changes to the bill’s language asked for by the Department of Homeland Security.
The Senate Intelligence Committee passed CISA earlier this year in a 14-1 vote, with Wyden as the only dissenting member. After that, Senate Republicans attempted to add it as an amendment to the National Defense Authorization Act, but Democrats blocked it, saying that CISA should be debated as a standalone bill.
Senators have already begun filing amendments to the legislation. Sen. Susan Collins (R-Maine) put forward the Federal Information Security Management Reform Act of 2015, which would expand DHS’s authority to detect and defend against intrusions on any civilian government network (Defense Daily, July 22).
Whether she will be allowed to offer her amendment on the floor is still up in the air, she told Defense Daily.
Sen. Dean Heller (R-Nev.) filed an amendment that would allow the private sector to strip out personal information that they “reasonably believe” is not related to a cyber threat. Under the current CISA, those entities must be certain personal information is not related to a threat before excising it.
“This term, ‘reasonably believes,’ is an important distinction that this bill needs,” he said. “It creates a wider protection for personal information by making sure that these entities are making an effort to take out personal information that is not necessary for cyber security.”