Here’s What Is in the Senate’s Cybersecurity Bill

Senate Intelligence Committee Chairman Sen. Richard Burr, R-N.C.

Senate Intelligence Committee Chairman Sen. Richard Burr, R-N.C. Jacquelyn Martin/AP

Featured eBooks

Digital First
Cloud Smarter
Cybersecurity & the Road Ahead

Despite amendments, privacy groups still fear the measure could expand NSA spying.

The Senate Intelligence Committee released late Tuesday the language of its recently passed cybersecurity bill, which its backers say could hit the Senate floor as soon as April.

The text of the legislation—which the committee passed 14-1 last Thursday—is largely the same as the discussion drafts that circulated before the vote, but it does incorporate a number of privacy-related amendments that were offered during the markup.

Despite the changes, privacy advocates indicated they str still worried the measure could lead to more spying by the National Security Agency.

The Cybersecurity Information Sharing Act is intended to help forestall cyberattacks like the one that crippled Sony Pictures last year, but concerns about government surveillance prevented a similar measure from earning a vote on the Senate floor in the last Congress. The legislation creates a voluntary framework for the private sector to share more computer data with the government by offering companies expanded legal liability if they choose to participate.

Thanks to an extended spate of high-profile hacks, the bipartisan measure could earn an expedited review and land on the Senate floor as soon as April. In the House, Homeland Security Committee Chairman Michael McCaul signaled on Tuesday he plans to introduce his own information-sharing bill this week.

The White House has identified information-sharing as a key priority this year, although it has yet to say if it supports the current CISA language. President Obama issued a veto threat for a similar measure that passed the House a few years ago, partly because of privacy concerns.

"We are committed to working with Congress to craft legislation that reflects that balance, and can pass both houses," a senior administration official said in a statement. "In that spirit, we thank the committee for working with us to address some of the administration's most significant concerns with the committee's bill, and look forward to reviewing the legislation."

Among the nuanced changes, the latest iteration of CISA grants liability protection for companies that share information related to "defensive measures" used to fend off hacks, a term substituted for the more controversial "countermeasures." The bill further clarifies that "defensive measures" does not include data that "destroys, renders unusable, or substantially harms an information system."

But privacy advocates were quick to again express dismay at the wording of several provisions in the latest iteration of CISA.

Jake Laperruque, a privacy and surveillance fellow at the Center for Democracy & Technology, said that, despite the revisions, CISA still amounted to a "cybersurveillance measure." Of particular concern, Laperruque said, was that the committee-passed legislation "required real-time 'insta-sharing' with the NSA" once data is handed over to the government—a mandated scheme that he said gained even more authority under the amended language.

When asked if the amended CISA bill fell short of privacy safeguards included in a separate bill introduced by Sen. Thomas Carper, Laperruque said "definitely." He noted that the measure from Carper, the top Democrat on the Senate Homeland Security Committee, gives no authority for countermeasures at all. Carper's bill adheres closely to a White House proposal rolled out in January.

The new CISA language also still allows for data collected by the government to be used for counterterrorism purposes, including thwarting the use of a weapon of mass destruction, although it restricts such use to imminent threats.

Privacy advocates' continued skepticism about CISA is unsurprising, given that Sen. Ron Wyden, a fierce civil-liberties hard-liner, cast the lone vote against the bill last week. The Oregon Democrat blasted the measure as "a surveillance bill by another name."

Sen. Dianne Feinstein, the panel's top Democrat, told reporters last week that 12 of 15 privacy amendments had been accepted by the committee either in part or full.

It is unclear how quickly the Senate intends to move CISA forward, but an aide to Majority Leader Mitch McConnell called information-sharing legislation a "priority." Senate Intelligence Committee Chairman Richard Burr indicated he believes the measure can earn a vote in early April.