Leaders in Congress and the heads of government agencies made a renewed push to pass the Cybersecurity Information Sharing Act (CISA) Wednesday, and claimed the bill is essential to filling in a critical intelligence gap that will help prevent future cyber and terror attacks.
“I note that the Senate, with some manager’s amendments, offered on the Senate floor the other day S. 754, which is the Cybersecurity Information Sharing Act,” Department of Homeland Security Secretary Jeh Johnson told a House committee Wednesday. “That bill too, in its current form, is in my judgement a good piece of legislation.”
Johnson endorsed the bill, designed to maximize cyber threat data sharing between the public and private sectors, along with its companion legislation in the House while testifying before the House Homeland Security Committee on the threat of domestic terrorism posed by ISIL and Al Qaeda’s efforts to radicalize and recruit online.
“I hope the Senate takes it up on the Senate floor, passes it, and it goes to conference with the House’s bill,” Johnson continued. “We need cybersecurity legislation.”
Republican Senate Majority Leader Mitch McConnell finally brought the bill to the floor Tuesday evening, after months of delay posed by a bipartisan group of lawmakers who have come out against the bill or suggested amendments, and privacy activists lobbying heavily to defeat it over concerns it will allow tech companies to hand over more data on U.S. citizens to intelligence and law enforcement agencies.
McConnell on Wednesday said the bill would “help protect Americans’ most private and personal information.”
“It would do so by defeating cyberattacks through the sharing of information,” the Kentucky senator continued. “It contains modern tools that cybersecurity experts tell us could help prevent future attacks against both the public and private sectors.”
The majority leader countered privacy advocates’ criticism the bill will facilitate domestic surveillance by including unrelated user data, like IP addresses, emails and passwords, in the cyber threat indicators private companies turn over to government agencies.
McConnell said CISA “contains important measures to protect individual privacy and civil liberties” and that it’s “been carefully scrutinized by Senators of both parties.”
“In short, this legislation is strong, transparent, and bipartisan,” he added.
The majority leader filed cloture on CISA late Tuesday, kicking off a round of procedural votes, including consideration of more than 20 amendments Republicans and Democrats agreed to consider before Congress’ August recess. Oregon Democratic Sen. Ron Wyden is leading a coalition of lawmakers in that effort to address the bill’s major privacy concerns, including stiffer requirements for removing personal data.
Those amendments will need more than 60 votes for passage. In an effort to save time, bill sponsors also offered up the manager’s amendment mentioned by Johnson, which includes 14 of the 21 amendments lawmakers agreed to consider before their summer recess. One of those provisions would allow DHS to automatically filter out personal information if it meets certain conditions.
According to Delaware Democratic Sen. Tom Carper, who originally sponsored the amendment with fellow Delaware Democrat Sen. Chris Coons, the manager’s amendment guarantees DHS “can apply privacy protections to cyber threat data as it sends information to other agencies.”
Senator Dianne Feinstein, the ranking Democrat on the Senate Intelligence Committee and co-sponsor of the bill alongside intel chairman Sen. Richard Burr, took to the Senate floor Wednesday to tout the manager’s amendment.
“It makes important changes to the bill to address privacy concerns about the legislation,” Feinstein said, pointing to a new provision that forbids the government to use shared cyber threat indicators to investigate unrelated felonies.
“The provision had been used by privacy groups to claim that this is a surveillance bill. It is not,” the California Democrat added.
Feinstein said the Carper and Coons’ amendment would ensure DHS takes steps to remove unrelated data like Social Security numbers before the data is shared across agencies.
“This should be very meaningful to the privacy community — I really hope it is,” Feinstein said, adding cooperation with the government under the bill is voluntary. “I want to believe that their actions aren’t just to kill that bill.”
Yet none of those edits address a further criticism of the bill — that it won’t be useful in preventing cyber threats at all.
“Sharing and collaboration has never come as a result of government regulation,” Russ Spitler of AlienVault said in a recent statement. AlienVault has been operating a cyber threat data sharing platform with HP, Intel Security and others since 2012.
“CISA does not provide this for us,” he said.
After procedural and amendment votes, CISA will likely get a final vote in the Senate early next week.