Despite months of advocacy by privacy organizations asking Congress to either reform or kill the Cybersecurity Information Sharing Act (CISA) due to privacy concerns, the bill passed the senate on Tuesday in a 74-21 vote.
Basically, companies will have increased liability protection when collecting and sharing user personal information that could purportedly be related to security threats. The bill makes it easier to share the data with each other, and with government agencies.
Privacy advocates say the bill is flawed due to vague definitions, broad immunity clauses and aggressive spying by authorities. They say it lacks the ability to address the real cybersecurity problems that caused recent high-profile computer data breaches, such as the Target data breach. It also fails to address poor malware architecture, unencrypted files, failure to update servers and employees clicking malware links, they contend.
The controversial bill encourages companies to share private data with the government, a move civil liberties advocates find worrying. The four amendments proposed to address these privacy concerns all died on the floor.
Sen. Dianne Feinstein (D-California) introduced the Cybersecurity Information Sharing Act in June 2014 in the wake of several high-profile cybersecurity attacks aimed at major US corporations. The bill will now proceed to a conference committee between the House of Representatives, which had previously passed its own version, and the Senate. Assuming the bill is approved – a likely prospect – it will head back to President Barack Obama.
Sen. Ron Wyden (D-Oregon), a critic of the privacy violations in the bill, had proposed one of the defeated amendments. The Wyden amendment would have included language aimed at protecting personally identifiable information by compelling companies remove it “to the extent feasible,” because personal information does not provide information about cyber threats.
The current language in CISA allows companies to only remove personally identifiable information (PII) if the companies know that it is not directly related to a cybersecurity threat.
Wyden also noted that CISA’S information sharing is said to be voluntary on the surface, but is actually voluntary for the companies, and not the customers. This means that even if users sign privacy agreements with companies, the companies can still break the agreement and remain protected from any legal remedy.
The Wyden amendment failed to pass with a vote of 41 to 55.
Sen. Dean Heller (R-Nevada) had proposed the Heller amendment, as a backup, in case the Wyden amendment failed to pass. It was similar to the Wyden amendment, and placed the burden of removing PII that is not related to cyber-threats on the Department of Homeland Security.
The Heller amendment failed to pass with a vote of 47 to 49. At least it was a close call.
Sen. Pat Leahy (D-Vermont) introduced the Leahy amendment, which was offered to tackle the issue of CISA’s sweeping Freedom of Information Act (FOIA) exemptions.
The Leahy amendment failed to pass with a vote of 37 to 59.
Sen. Al Franken (D-Minnesota) introduced the Franken amendment to narrow the definition of “cybersecuirty threat,” and would have limited the scope only to those actions “reasonably likely” to cause damage to a company’s network. CISA’s current language is a vague “may.” It would also have limited the definition of “cyber threat indicator” to include only information necessary to describe actual harm flowing from an incident, not the current vague “potential harm.”
The Franken amendment failed to pass by 35 to 60.
Opposition to CISA include tech behemoths such as Google and Apple, and policy advocacy organizations such as FreedonWorks and the Electronic Frontier Foundation.