Following the Senate’s rejection of most amendments brought to the floor, the Cybersecurity Information Sharing Act (CISA, S.754) passed late Tuesday 74-21.
This vote followed a strong 83-14 bipartisan cloture vote on Thursday moving forward the cyber security information sharing legislation (Defense Daily, Oct. 22). Before the amendments were considered today, chief sponsors Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), the chairman and vice-chairman respectively of the Senate Intelligence Committee, reiterated their opposition to all amendments that would upset the balance of support from private sector organizations.
“The vice chairman and I have from day one said to our members we will entertain any good ideas that we think strengthen the bill, and on both sides of the aisle we’ve said to members if this breaks the agreement that we have for the support we need, because they don’t believe that the policy is right, then we will lock arms and we will vote against amendments,” Burr said on the floor of the Senate today.
“As late as this morning Senator Burr and I have been working to see if we can reach agreement to accept or voice vote some of them, and I hope these discussions will be successful. However, I remain in agreement with the chairman that we will oppose any amendments that undo the careful compromises we have made on this bill…Several of today’s amendments would undo this balance.
Of the eight amendments offered for the bill, all but two failed before final passage.
Sen. Ron Wyden’s (D-Ore.) amendment No. 2621 failed 41-55. Wyden was the sole dissenter when the committee approved the bill in March and has repeated his opposition since then, warning that it is a “surveillance bill.” His amendment directed companies sharing cybersecurity threat information to first remove personally identifiable information (PII) to the extent feasible. Feinstein voiced opposition, stating threat language is not clear enough for companies fearful of lawsuits.
Sen. Dean Heller (R-Nev.) also had an amendment seeking to protect certain personal information, No. 2548, and it failed as well, 47-49.
The third amendment, No. 2587, from Sen. Patrick Leahy (D-Vt.) failed 37-59. It sought to strike a Freedom of Information Act exemption from the bill.
Sen. Jeff Flake (R-Ariz.) modified his amendment No. 2582 on sunsetting several provision in the bill, moving it from six to 10 years. This amendment was agreed to be a voice vote.
“I am a believer in sunset provisions for most things we do here in Congress. They force us to reconsider our past decisions, determine if what we enacted is operating as we intended, and debate the overall success of the legislation we pass,” Flake said in a statement following the amendment’s passage.
Amendment No. 2612, brought by Sen. Al Franken (D-Minn.) failed 35-60. It sought to improve definitions of cyber security threat and cyber threat indicators.
Sen. Chris Coons’ (D-Del.) amendment, No. 2552, failed 41-54. It aimed to remove certain personal information from homeland security cyber threat indicators and countermeasures.
Sen. Tom Cotton’s (R-Ark.) amendment, No. 2581, which sought to exempt from the capability and process within the Department of Homeland Security communications between a private entity and the FBI or Secret Service regarding cyber security threats, was the last defeated amendment, by 22-73.
The final amendment was a voice vote adoption of the manager’s package previously agreed to, amendment No. 2716.
As final passage on the bill approached, some observers continued to express opposition or skepticism.
The Electronic Frontier Foundation (EFF), a nonprofit that “champions user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development,” made statements generally representative of the opposition.
Citing deficiencies in the manager’s package, “Contrary to the claims of CISA supporters, the bill does not fix any core privacy concerns…The new language further weakens the fundamentally flawed bill, which already suffers from broad immunity clauses, vague definitions, and aggressive spying authorities. Further, the bill does not address problems that caused the recent highly publicized computer data breaches like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.”
“EFF continues to strongly oppose the bill,” the organization said.
EFF also noted large technology companies like Apple [AAPL], Yelp [YELP], Symantic [SYMC], Salesforce [CRM], and Twitter [TWTR] oppose the bill.
Another analyst brought a different sort of skepticism to CISA.
“On the surface, efforts to increase information sharing about the latest cyber threats seem like a no-brainer,” Brian Krebs, a well-regarded cybersecurity reporter who formerly worked for The Washington Post and currently maintains a popular independent cybersecurity news and investigative website, said before the vote.
Krebs noted rather than legislative mandated sharing, the bigger impediment to responding to cyber breaches is how many companies do not realize how important IT assets are.
“In practice, however, there are already plenty of efforts–some public, some subscription-based–to collect and disseminate this threat data. From where I sit, the biggest impediment to detecting and responding to breaches in a more timely manner comes from a fundamental lack of appreciation—from an organization’s leadership on down—for how much is riding on all the technology that drives virtually every aspect of the modern business enterprise today.”
Krebs said many organizations only see the value in investing in cybersecurity after a breach and even then they often seek “shiny new technologies or products” they perceive will help protect them yet overlook the importance in investing in talented cybersecurity professionals.
Krebs agreed with a letter from academic sent to the bill’s sponsors that CISA is an example of a “let’s do something law” from a Congress under pressure to respond to a parade of breaches across the public and private sectors.
“The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches.”