After months of negotiation, a cybersecurity bill designed to step up defenses in the wake of high-profile hacks moves closer to the president’s desk.
Despite howls of protest from privacy advocates, the Senate on Tuesday passed legislation aimed at bolstering the nation’s defenses against hackers.
The Cybersecurity Information Sharing Act, or CISA, passed the Senate 74-21.
Since the House earlier this year passed two different versions of a cyber-information-sharing bill, lawmakers from the Senate and House will have to come together in a conference to align their versions of the legislation into a final, unified version of the bill that will need to be passed again by both chambers before it can be signed into law.
Opposition to the bill, which would provide incentives to private businesses to share information about online threats with each other and with the federal government, was led by the Senate’s privacy hawks—Ron Wyden, Patrick Leahy, and Al Franken—and backed by civil liberties groups and tech companies who were unhappy with the bill’s privacy protections.
But CISA’s cosponsors, Sens. Richard Burr and Dianne Feinstein, with the support of two hugely influential trade groups in the U.S. Chamber of Commerce and the Financial Services Roundtable, rallied senators around their bill, calling it a necessary but incremental step toward preventing massive data breaches like the ones that affected Sony Pictures Entertainment and the Office of Personnel Management over the last year.
Before leaving for a monthlong recess in August, senators set up 22 amendments to get votes alongside the bill. Burr and Feinstein folded a number of amendments that they supported into a manager’s package, which tweaked the bill with a limited increase in privacy protections, but left about a dozen others that they did not support to get individual votes.
On Tuesday morning, senators considered a number of amendments that would have bolstered the bill’s privacy protections. The proposed changes would have tightened mechanisms for removing sensitive personal information from the threat indicators that would be shared under the program, specified the kind of information that could be considered threatening enough to be shared, and made certain information available to Freedom of Information Act requests.
The Senate voted down all of the privacy offerings.
The day’s votes caught the eye of Edward Snowden, who took to Twitter to push for the privacy changes, and, when they were voted down, to shame the lawmakers who voted against them.
Before taking up the bill and voting on final passage, two more individual amendments got a vote, including an especially controversial change from Sen. Tom Cotton, which proposed extending liability protections to companies that chose to share directly with the FBI and the Secret Service.
Burr and Feinstein said the amendment would undo their work to set up the Department of Homeland Security as the central clearinghouse for shared threat data, a view the White House said it shared in an official policy statement circulated last week.
Cotton’s amendment, which Burr called a “deal-killer,” was overwhelmingly rejected, 73-22.
Finally, senators took up the manager’s amendment and the final bill, and passed both.
IBM, one of the businesses that lobbied in favor of the bill, celebrated its passage.
“Today’s vote is a big win for both security and privacy,” said Timothy Sheehy, the company’s vice president for technology policy affairs. “Sharing technical details on the latest digital threats is critical to strengthening America’s cyber defenses.”
At a press conference after the final vote, Burr and Feinstein thanked senators who worked with them on the bill, and lauded the bipartisan nature of its passage.
“What we saw in this process is the United States Senate as it’s supposed to function,” Burr said.
“On occasion, we can defy the common wisdom that we’re totally gridlocked here in Washington,” added Sen. John McCain.
But privacy groups vowed to keep fighting to boost the privacy protections as the cybersecurity legislation continues through the political process.
“To avoid a veto, whatever emerges from the conference committee must be a bill that meets President Obama’s previous standards,” said Nathan White, senior legislative manager at Access, a digital human-rights organization. “The administration’s policy up to this point has been very clear—it has supported CISA’s process but expressed concerns that it is currently ‘dangerous to cybersecurity.’
“Today’s vote is a disappointment,” White added. “But it is not the end of the road.”