Cybersecurity legislation has eluded Congress for the last three years, but a number of high-profile hacks have prompted more urgent calls to action. Data breaches at Target, Sony Pictures, and the government itself — like the Office of Personnel Management break-in — that compromised the personal information of over 22 million people, have spurred more lawmakers to support CISA as an imperfect but necessary reform.
But once the Senate clears the legislation, the process isn’t over. It must still be reconciled with the House version. And how the remaining steps are completed, particularly a roster of amendments awaiting consideration, will determine how complex that conference process will be.
Senate Intelligence Committee Ranking Member Dianne Feinstein (D-Calif.) defended the legislation as vital, if imperfect, to advancing cyber protections..
“This is a good bill,” Feinstein told her colleagues. “It is a first step, it’s not going to prevent all cyber-attacks or penetrations but it will allow companies and the government to share information about the cyber threats they see and the defensive measures to implement to protect their networks.”
Feinstein and Chair Richard Burr (R-N.C.) argue that the bill is “really our last chance,” as Burr put it Thursday, to pass legislation avoiding the sort of security breaches that have compromised the information of millions of people.
But despite the overwhelming support on the procedural vote, not everybody agrees that the Senate’s bill is the best way to improve cyber security.
Major technology companies “have come out overwhelmingly against this legislation and are not satisfied by this substitute,” Sen. Ron Wyden (D-Ore.) said, referring to trade organizations and companies like Apple and Dropbox that have recently come out against the Senate’s cybersecurity bill.
“We have a serious problem with hacking and cybersecurity threats,” Wyden continued. But the Senate bill, he argued, was “a cybersecurity information sharing bill without real and robust privacy protections,” and thus “millions of Americans are going to look at that and say, this isn’t a cybersecurity bill, this is yet another surveillance bill.”
Passing the initial hurdle, however, means that senators will now move onto the tricky business of debating and voting through a list of amendments – some of them innocuous, but some of them, potentially treacherous to the bill’s ultimate fate.
Privacy advocates have proposed what are perhaps the most thorny amendments to the bill, offering measures that would place limits on what kind of information companies could share with the government, and peeling away at liability protections. Supporters of the bill say those are necessary, however, to securing any buy-in from would-be participants.
Burr warned his colleagues not to be tempted by amendments that seemed reasonable in the abstract, if they could bring down the whole bill.
“It’s going to be inviting for people to do it, but let me say to my colleagues, ‘If you do it, information sharing is over with, the effort is dead,’” Burr said.
“This bill that we’re attempting to get through the Senate is a voluntary information-sharing bill,” Burr explained, “and the mere fact that it’s voluntary means we have to have in place certain incentives that provide companies a reason to participate.”
Senators appear to have heeded his advice for the first of those amendment votes: Only 32 senators supported an amendment from Sen. Rand Paul (R-Ky.) to withhold liability immunity from any company that would be breaching a standing user agreement by sharing information about threats under the cybersecurity bill.