But the legislation still faces nuanced and tricky challenges to be dealt with in a House-Senate conference. And it still has its fair share of skeptics inside and outside Washington.
The bill has received strong and repeated support from Senate leaders on both sides of the aisle, who paint it as a critical opening salvo in protecting the country against a growing spate of cyber threats, such as the widespread data breach at Target earlier this year and this summer’s Office of Personnel Management hack compromising the information of 22 million.
“Everyone should want to see the bipartisan cybersecurity bill before us pass today,” Senate Majority Leader Mitch McConnell (R-Ky.) said, recalling how last week 83 senators voted to advance the legislation. “Its voluntary information-sharing provisions are key to defeating cyberattacks and protecting the personal information of the people we represent.”
But despite the strong opening showing, the Senate is far more divided when it comes to specific provisions of the legislation, especially those concerning the exact definitions of liability and privacy protections.
While the Senate defeated two amendments to reduce the information participants share about individuals whose details could be omitted from cybersecurity threat reports, the votes were close. An amendment by Sen. Dean Heller’s (R-Nev.) that failed, 49 to 47, would have required a company to remove the personal information of individuals “reasonably believed” to be unrelated to a cybersecurity threat, instead of those “known” not to be, before sending reports to the government.
Issues like those will require the attention of conferees. In fact, Senate and House negotiators will have to wrestle with that very standard, as the House’s bill incorporates language closer to Heller’s.
The House passed two cybersecurity bills back in April: the Protecting Cyber Networks Act, or PCNA, and the National Cybersecurity Protection Advancement Act, or NCPAA, eventually combining the two as separate titles of the same legislation.
Both, like the Senate’s Cybersecurity Information Sharing Act, or CISA, seek to set up a voluntary information-sharing system whereby private entities and the government can share tips, risk alerts, and better coordinate protections against hackers and other cyber threats. Both, like CISA, seek to encourage participation through a series of liability incentives for private companies, while ensuring that some privacy safeguards remain in place to protect individuals from having their personal information inappropriately shared.
But the two House bills have a slightly different focus, and put the burden of carrying out critical parts of the new cyber information collection, analysis and dissemination regime under different parts of the federal government.
The Senate’s CISA bill does not focus, for example, on the National Cybersecurity and Communications Integration Center, a division of the Department of Homeland Security, or the Cyber Threat Intelligence Integration Center, established earlier this year in the Office of the Director of National Intelligence, which both play a significant role in the House bills.
The Senate legislation deals with homeland security and intelligence operations more broadly, and envisions a slightly different scope of agencies with which information can be shared.