CISA Amended to Address Privacy, Oversight Issues

But vote does not look like it will come until next week

Senate Intelligence Committee chair Richard Burr (R-N.C.) said Wednesday that it looked like the Cybersecurity Information Sharing Act (CISA) would not be ready for a final vote until Monday or Tuesday of next week. 

The bill allows businesses to share cyberthreat information with each other, with the government, and for the government to share information about those threats and how to defend against them, with businesses, all in as close to real time as possible. The information would be submitted to a Homeland Security Department (automated system) portal.

The problem is the growing number of attacks on business and government and the need to flag those and share ways to stop them in as close to real time as possible.

Burr, who backs the bill, took to the Senate floor to say the bill is important, balances security and privacy, and is entirely voluntary. Companies that don't want to share their information with each other of the government don't have to, he said.

And since it is voluntary, Burr said, it incentivizes companies by giving them blanket immunity from antitrust laws to collaborate on identifying and addressing cybersecurity threats, but only for that reason, and a focused immunity from lawsuits over inadvertently sharing personal information, which must be scrubbed before data sharing unless it is vital to identifying threat. There will not be immunity for gross negligence or willful misconduct.

That came despite the adoption of a new version of the bill (in the form of a managers amendment) that included 14 amendments and 20 new provisions that another of the bill's major backers, Sen. Diane Feinstein (D-Calif.), should address many of the privacy group issues with the bill, unless they simply want to kill the bill rather than improve it, she said.

Sen. Harry Reid (D-Nev.), Senate minority leader, earlier in the day urged passage of the bill, saying it was not perfect, but it was "OK," and long overdue.

Intelligence Committee member Sen Ron Wyden (R-Ore.), who opposes the bill, said the new version still did not sufficiently protect privacy.

Burr pointed out that many big tech companies oppose the bill, but advised them to read the manager's amendment. He also pointed out that those opponents--Feinstein called out Apple, Google and Microsoft by name--are the ones that hold large amounts of personal data.

Feinstein and Burr talked extensively about why the bill was not a surveillance bill, and about all the new privacy protections that were added in the manager's amendment to make it more acceptable to privacy groups and some members who Burr argued have been opposing any legislation.

Those include that the bill no longer allows the government to use cyber threat information on non-cyber crimes, even serious violent felonies. Burr had wanted that provision, but said it was now out in the interests of accommodating the bill's critics.

According to Feinstein, the bill also now limits the authority to sharing information to cybersecurity only, and again, that information has to be scrubbed of personally identifiable information before it is shared.

It also limits defensive measures against attacks by saying that cannot include gaining unauthorized access to computer networks. Feinstein and Burr also pointed to oversight provisions, including internal IG investigations and independent oversight boards, as well as periodic reports to Congress.

On the "voluntary" issue, Burr and Feinstein pointed out that the information cannot be used by regulatory agencies against the companies that supply it, though it does direct federal agencies to report on how they prevent their own cyber intrusions.

Wyden said that while information sharing can be valuable and cybersecurity is crucial. But he said the bill is badly flawed because it does not have robust privacy standards for information sharing, which is why critics call it a surveillance bill.

Wyden said immunity from lawsuits won't stop sophisticated attacks like that of the Office of Personnel Management. He said the big criticism of the bill is its impact adverse on privacy, which outweighs the limited security benefits. He said the new bill's privacy protections are too weak. He also cited the tech companies that have come out against the bill, saying they are in the best position to know what threatens customer confidence, which he says is the bill's lack of privacy protections.

Wyden pushed for an amendment that would better insure personally identifiable information (PII) would be scrubbed.

Wyden alluded to the fallout by the EU Court to strike down the safe harbor data agreement. He said he opposes that ruling, but says this bill needs to send the right signal that the U.S. is protecting privacy, but says in its present form would do the opposite.

He called roll of companies that oppose the bill: Apple, Twitter, Yelp, as well as Google, Amazon, Facebook, Microsoft, PayPal, eBay as members of the Computer and Communications Industry Association, which say the bill does not adequately protect privacy.

An unhappy Sen. Sheldon Whitehouse (D-R.I.) complained that he could not get a vote on his amendment targeting botnets, asking if there were a pro-botnet, pro-foreign cybercriminals caucus he did not know about,  and said he did not know how he would vote on the bill.  Sen. tom Carter (D-De.) said if his amendment did not get a vote in the Senate, he would work to make sure it was brought up in conferencing with the House.

If the bill passes, it must still be conferenced with two House versions of cybersecurity legislation and get the President's signature. To that point, Burr said that the National Security Council would be coming out in support of the bill Thursday (Oct. 22).