The Senate on Tuesday passed a cybersecurity bill that would give companies legal immunity for sharing data with the federal government, over the protests of some lawmakers and consumer advocates who say that the legislation does not adequately protect Americans’ privacy.
The Cybersecurity Information Sharing Act, or CISA, must now be reconciled with legislation passed earlier this year by the House.
The Obama administration and lawmakers in both parties have been seeking for years to enact information-sharing legislation, and it now seems likely to become law.
The 74-to-21 vote comes as digital attacks against private industry and the government alike put pressure on lawmakers to address information security.
"For me this has been a six year effort … and it hasn't been easy because what we tried to do was strike a balance and make the bill understandable so that there would be a cooperative effort to share between companies and with the government," Sen. Dianne Feinstein (D-Calif.), vice-chairman of the Intelligence Committee and a co-author of the bill, said on the Senate floor.
But privacy activists argue that the bill lacks robust privacy protections. They expressed concerns with provisions that allow the Department of Homeland Security to share information gathered in the program with other government agencies, such as the FBI or the National Security Agency. Critics say that effectively turns the legislation into a backdoor surveillance bill that benefits the intelligence community.
“We are encouraged that the Senate has passed key portions of the legislative proposal that the president sent to Congress in January,” said Lisa Monaco, assistant to Obama for homeland security and counterterrorism. She added, "We are hopeful that the Senate and House can work together expeditiously to send cybersecurity legislation to the president’s desk."
The White House expressed qualified support for the legislation in a statement last week, indicating that it would work to make improvements to the bill in the reconciliation process with the House legislation.
Supporters of the legislation argue that the government could better help private companies secure their systems if it has more information about the threats they face. But companies have been reluctant to do so out of fears of running afoul of privacy regulations, proponents say.
"It clears away the uncertainty and concerns that keep companies from sharing this information," Feinstein said.
CISA would set up a hub for voluntary information that would be managed by DHS: When a company discovers suspicious activity on its systems, it would give information about the attack to the government, which would warn other companies.
In theory, the information shared would be limited to “threat indicators” — data such as technical information about the type of malware used or the ways that attackers covered their tracks while sneaking through systems.
The Senate rejected amendments from Sens. Ron Wyden (D-Ore.) and Dean Heller (R-Nev.) that would require more stringent reviews by companies to remove personal information before sharing data with the government, as well as other amendments aimed at removing restrictions on Freedom of Information Requests over data shared under the program and and tightening the definition of "threat indicators." It also rejected an amendment that would have extended liability protections to companies that shared cyber threat information with the FBI and the Secret Service.
The Senate did pass a manager's amendment package from Feinstein and Sen. Richard Burr (R-N.C.) that made some changes to appease privacy advocates.
But critics have warned that the bill, combined with surveillance programs revealed by former National Security Agency contractor Edward Snowden, could give intelligence agencies more leeway to collect "upstream data" from the Internet backbone.
Many civil liberties groups campaigned aggressively against the legislation, with one campaign sending a massive number of faxes opposing the bill to congressional offices and pressuring tech companies to take a public stand against CISA.
Some tech giants came out against the bill, including Apple, which has aggressively positioned itself on privacy issues. "We don't support the current CISA proposal," the company said in a statement last week. "The trust of our customers means everything to us and we don't believe security should come at the expense of their privacy."
Major tech trade groups, including the Computer & Communications Industry Association, have also come out against the legislation.
But other tech companies have endorsed CISA, including IBM. "Sharing technical details on the latest digital threats is critical to strengthening America’s cyberdefenses. Online criminals actively share information to penetrate networks, steal vital economic and national security data, and compromise the personal information of millions of Americans," Timothy J. Sheehy, vice president for technology policy at IBM's government and regulatory affairs office, said in a statement after the Senate vote.
In the final days before the vote, digital activists at Fight for the Future accused Facebook of quietly lobbying for the bill. A Facebook spokesperson denied the claim, saying that the company does not have a position on CISA.
Facebook, itself, runs a private system for sharing cyber threat indicators known as Threat Exchange, which some 130 companies currently use. Other industries, including the financial sector, run similar organizations among themselves -- and the government already has some mechanisms set up to help share cyberthreat intelligence, although not at the scale envisioned by CISA.
Earlier this week, a group of academics and security experts expressed concern over the bill, saying it would "do little, if anything, to address the very real problem of flawed cybersecurity while creating conditions ripe for abuse."
But advocates of the bill heralded its Senate passage as a step forward for cybersecurity.
"This landmark bill finally better secures Americans private information from foreign hackers,” said Burr in a statement after the bill's passage. “American businesses and government agencies face cyber-attacks on a daily basis. We cannot sit idle while foreign agents and criminal gangs continue to steal Americans’ personal information as we saw in the Office of Personnel Management, Target, and Sony hacks."
Ellen Nakashima contributed to this report