Senate Overwhelmingly Passes Controversial Cybersecurity Bill, Angering Opponents

The U.S. Senate passed the controversial Cybersecurity Information Sharing Act (CISA) on Tuesday, paving the way for private companies to share cyberthreat information not just with each other, but with the government.

A salient point of the measure, S. 754, centers on the freedom companies would have to share what they deem to be cyber intelligence without fear of lawsuits. But a vocal opposition to the measure took to social media during the Senate’s debate, calling on lawmakers to defeat the bill because it will tantamount to sanctioned government spying on citizens.

The bill, which passed by a 74 to 21 vote, requires the Director of National Intelligence, Department of Homeland Security, Defense Department and Department of Justice to establish methods that would lead to sharing of federally held classified and declassified cyberthreat indicators with the private sector, non-federal government agencies, and state and local governments and vice versa. The measure, penned by Sen. Richard Burr (R-NC), facilitates the sharing of cyberthreat details in a timely manner and lets companies share forensic data on breaches and vulnerabilities with federal information technology experts without fear of liability.

But it rustled up opposition from objectors, including companies such as Apple, Dropbox and reddit, which fear the blanket sharing would compromise privacy laws, among other adverse impacts. The Computer and Communications Industry Association also opposed the measure. “CISA’s prescribed mechanism for sharing of cyberthreat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government,” reads a portion of the association's position statement. “In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties.”

Cybersecurity company RedSeal Incorporated, a U.S. enterprise software company that models network security infrastructure to defend against cyber attacks, criticized the bill because it fails to solve core issues to protect against breaches, and will lead to “the erosion of trust between citizens and business and government,” said CEO Ray Rothrock. “Sharing is essential in a digital war as information is critical to winning. And, the concept of safe harbor is a powerful one, and used broadly in American business. However, in this case, the safe harbor is only between the government and business and does nothing for citizens and customers.”

The bill fails to safeguard individuals’ personal information, he added. “As a business owner, under the Senate bill I may seek safe harbor by sharing information with the government, but my customers are still wondering what I’m doing to protect their information."

The legislation fails to close a significant partnership gap and “the ongoing reluctance of government to share timely and actionable cyberthreat information and threat intelligence with the private sector,” Robert Dix, vice president of Global Government Affairs and Public Policy at Juniper Networks, recently wrote in a SIGNAL blog.

“Additionally—and regrettably—some people seem to believe that passage of CISA will solve the evolving and increasingly perilous cybersecurity challenge,” Dix wrote. “While information sharing is important, it is just a tool to achieving the real objective; which is timely, reliable and actionable situational awareness during steady state operations and throughout thresholds of incident escalation.”

Companies and interested people took to social media to voice opposition, saying the measure grants unchecked federal powers to spy on citizens in the name of protecting them from hackers.

Throughout Tuesday's legislative discussion, senators offered amendments to address concerns—all of which failed to pass by simple majority. Senate Assistant Minority Leader Dick Durbin (D-IL) said the measure infringes on people's privacy in the name of national security. “We are always going to be faced with that challenge,” Durbin said. “Are we going too far? Are we giving too much to the government? That, in fact, is the debate we have today.”

Sen. Patrick Leahy (D-VT) argued that as is, the bill usurps state and local laws regarding the Freedom of Information Act and weakens transparency. Sen. Ron Wyden (D-OR) introduced an amendment that would have required personnel and proprietary details be removed from shared information.

Opponents of the the amendments say they sought to “fundamentally undermine the core purpose of the bill, which is voluntary, real-time sharing of cyberthreats,” argued bill supporter Sen. Roy Blunt (R-MO).

The measure encourages sharing of information and does not require it, he pointed out. It offers the nation a “responsible balance” between protecting citizen liberties and information and defending national security, said Blunt, adding that Congress next must tackle ridding the system of patchwork of notification laws that differ from state to state.

A similar version already passed in the House of Representatives this past spring. Differences between the House and Senate version will need to be reconciled before it heads to the White House, which supports the measure.