Senate stalls on cybersecurity bill
Wrangling over amendments delays floor action on Senate cyber bill until September.
The Senate is leaving town for its August recess without further action on a cybersecurity bill.
The Cybersecurity Information Sharing Act is the latest in what has become an annual exercise in attempting to provide a new legal framework for private companies to share information on cyber threats with government and with each other, without running afoul of privacy and antitrust statutes.
A deal to bring CISA to the floor for a cloture vote with an eye to passing the bill on Aug. 6 fell apart because of disagreements over what amendments would be subject to debate and vote. The Senate now plans to pick up cybersecurity after the recess, with Democrats allowed to introduce 11 amendments and with Republicans getting 10.
Senators lobbed more than 70 amendments, some relevant to cybersecurity and some designed with the apparent intent of delaying action on the bill.
While the measure was approved by the Senate Select Committee on Intelligence by a vote of 14-1 and has White House backing, privacy advocates are concerned that network operators won't have to obtain the consent of their customers before sharing information on alleged cyber threats with federal agencies.
White House spokesman Eric Schultz put out a statement backing the bill. "Cybersecurity is an important national security issue and the Senate should take up this bill as soon as possible and pass it," Schultz said Aug. 4.
The administration backing is notable because the Department of Homeland Security warned of privacy issues with the bill in a letter to Sen. Al Franken (D-Minn.). Those concerns were apparently addressed in recent changes to the bill by its lead backers, Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), the chairman and vice chair of the Intelligence Committee.
Sen. Ron Wyden (D-Ore.), the lone no-vote on the Intelligence panel, has characterized CISA as a "surveillance bill," and he doesn't think it will work.
"I'm of the view that this bill in its present form would do little if anything to stop large, sophisticated cyberattacks like the Office of Personnel Management hack," Wyden said on the Senate floor.
Feinstein rejected that view. "We have made some 15 privacy information improvements in this bill," she said during floor debate Aug. 6, referring to a manager's amendment added to the bill to mandate that information gleaned in cybersecurity threat reports won't be used in unrelated prosecutions by law enforcement agencies. "This is not a surveillance bill," Feinstein said. "What it is meant to be is a voluntary effort that companies can enter into with some protection if they follow this law," she said.
CISA would give network operators and other private firms certain protections from antitrust and consumer privacy liabilities when they report information on cyber threats to government, or share them with each other.
"It's been referred to that we're here because OPM got hacked. No. We're here because the American people's data is in jeopardy if government doesn't help to find a way to minimize the loss," Burr said on the floor Aug. 4.
Turf issues may have played a role in the bill stalling out. The Judiciary Committee and the Homeland Security and Governmental Affairs Committee have jurisdiction over agencies and policies charged with leading the response to the cyber threat, and some panels have their own legislation on cyber teed up.
"The Homeland Security Committee is certainly free to do a bill. The Judiciary Committee is certainly free to do a bill. We happen on Intelligence ... to have been working on this for a long, long time, "Feinstein said. "This bill, I believe, has hit the mark."
If the bill passes in September, it still would have to be reconciled with a pair of bills passed by the House, one making DHS the hub of information sharing with private firms, and another authorizing the intelligence community to share known threat signatures with private companies via DHS.
Burr noted in his floor remarks that he hoped for quick passage of CISA in order to get to work conferencing the legislation.
"It's the Senate that's now holding us back," Burr said.