The Senate on Thursday cleared the first hurdle toward passing a controversial cybersecurity bill championed by pro-business groups and condemned by civil-liberties advocates and leading tech companies as detrimental to Americans’ privacy.
The upper chamber voted 83-14 to end debate and advance the Cybersecurity Information Sharing Act (CISA), which would let businesses share data about cyber threats with the government. A final vote on the bill is expected early next week.
A growing wave of cyberattacks in recent years has heightened concerns about weak cybersecurity practices, prompting Congress to consider new ways to spot these attacks before they begin. But CISA faces fierce criticism from a broad coalition of privacy advocates over concerns that businesses will expose their users’ personal information when they share threat data with the U.S. government. The bill contains a provision requiring companies to scrub such information, but civil-liberties groups argue that its language is not stringent enough.
“Everyone is for ‘cybersecurity,’ but that’s not what this bill is about,” Nathan White, senior legislative manager at the civil-society group Access, said in a statement. “This bill is being sold as security, but it’s a backdoor to surveillance. The more people learn about the bill, the more the opposition grows.”
Access and other civil-liberties groups set up a coalition website called Stop Cyber Surveillance. The groups will protest CISA at the Capitol on Thursday night.
Major tech companies like Twitter and Dropbox also oppose the bill, as does a trade group representing other tech giants like Amazon, Facebook, and Google.
Senate Intelligence Committee Chairman Richard Burr (R-N.C.), the bill’s co-sponsor, on Wednesday dismissed criticisms of the bill as “a sign of ignorance or a sign that [critics are] being disingenuous.”
But Sen. Ron Wyden (D-Ore.), CISA’s chief congressional opponent, insisted that Burr and other supporters were masking the bill’s true nature.
“This isn’t a cybersecurity bill,” Wyden said on the Senate floor on Thursday. “This is yet another surveillance bill. The Senate is again missing another opportunity to do this right and promote both security and liberty.”
Wyden introduced an amendment to rewrite the privacy provision, which currently directs any company sharing cyber threat data to scrub from the data:
“any information…that the [company] knows at the time of sharing to be personal information of or identifying a specific person not directly related to a cybersecurity threat.”
Wyden’s amendment would instead direct companies to scrub:
“any personal information of or identifying a specific individual that is not necessary to describe or [identify] a cybersecurity threat.”
The new language would emphasize preserving information that companies believe is directly related to cyber threats rather than focusing on deleting information that is found to be unrelated—creating a higher bar to including potentially sensitive data.
It remained unclear, as CISA cleared its first hurdle, when (or whether) this and other amendments would receive votes.
Cybersecurity has been the focus of unprecedented attention in recent months, following the massive data breach at the Office of Personnel Management, in which hackers stole the records of more than 22 million current, former, and prospective federal workers. CISA supporters repeatedly pointed to the OPM hack as evidence of the cyber threats that the United States faced, even though experts have said that cyber threat data sharing would not have prevented the attack.
Wyden has even warned, in an interview with the Daily Dot, that CISA could compound the problem, by placing a new repository of threat data—potentially including Americans’ personal information—on government servers that remain insecure. He echoed those concerns on the Senate floor on Tuesday, calling CISA’s data-sharing portal “a prime target for hackers.”
Many business groups, including the U.S. Chamber of Commerce and the Financial Services Roundtable, have pushed for passage of CISA. The bill grants companies immunity from lawsuits stemming from their sharing of cyber-threat data with the government.
Immediately after the cloture vote, the Senate defeated an amendment from Sen. Rand Paul (R-Ky.) to preserve legal liability for companies that violate their privacy agreements with customers by sharing personal data.
“This legislation is a first step only to improve our nation’s defenses against cyberattack and cyber intrusion,” Sen. Dianne Feinstein (D-Calif.), the top Democrat on the Intelligence Committee and one of CISA’s main backers, said on the Senate floor on Tuesday. “It is the most effective first legislative step we believe that we can take.”
Update 11:03am CT, Oct. 22: Added Paul amendment vote.
Photo via jasleen_kaur/Flickr (CC BY SA 2.0) | Remix by Jason Reed