Senate Majority Leader Mitch McConnell of Ky pauses during a news conference on Capitol Hill in Washington, Thursday, Aug. 6, 2015, as the Senate began its summer recess.

Senate Majority Leader Mitch McConnell of Ky pauses during a news conference on Capitol Hill in Washington, Thursday, Aug. 6, 2015, as the Senate began its summer recess. AP Photo/Jacquelyn Martin

Senate Cyber Security Bill Hinges On 22 Amendments

Republicans and Democrats alike want to reshape the bill, which would encourage companies to share information with the government.

After a brief but heated battle, senators packed up for summer recess early this month without voting on a key cybersecurity bill. In announcing that the bill's consideration would be delayed, Majority Leader Mitch McConnell lined up 22 amendments that will get a vote when the bill comes up again in the fall, a product of intense negotiations over the bill's fate.

The amendments—10 from Republicans and 11 from Democrats, plus one from the bill's bipartisan cosponsors—range widely in their goals, and they have been the subject of a lobbying push this month from both supporters and opponents of the Cybersecurity Information Sharing Act, or CISA.

The bill sets up incentives for businesses to share cyberthreat information with the government, with the goal of supplying both with the tools and data they need to bolster their defenses. It will likely come up again after the Senate reconvenes in September, but it's just one issue in a tight legislative schedule.

Here are the 22 amendments that could make or break the bill.

OPERATIONS

1. Offers liability protection for sharing with FBI and Secret Service.

CISA would allow businesses to share cyberthreat information directly with any federal agency, but offers them liability protection only for sharing with the Department of Homeland Security.

An amendment from Sen. Tom Cotton takes liability protections a step further and would extend them to companies who want to share with the FBI or Secret Service.

The provision is a useful one for businesses that regularly deal with data breaches. "If you think about when there's a breach, the government has repeatedly said that it's important to come to law enforcement and work with law enforcement to help address that," said Andrew Tannenbaum, cybersecurity counsel at IBM. "One of the main entities that a company would share with in that situation would be the FBI or the Secret Service, so it's important to include that in the legal protections."

But the Cotton amendment is also one of the most worrisome for privacy advocates. Robyn Greene, policy counsel at New America's Open Technology Institute, says the proposal has "obvious privacy and civil-liberties concerns, because the FBI is a domestic intelligence and law-enforcement agency." Greene says the Cotton amendment could be harmful to the program's operations because it further decentralizes the provision of information within the government from the DHS hub.

2. Narrows definitions of cybersecurity threats and indicators.

An amendment put forward by three of the Senate's most outspoken privacy advocates—Sens. Al Franken, Patrick Leahy, and Ron Wyden—narrows the definitions of cybersecurity threats and the cyberthreat indicators that businesses and the government are allowed to share.

This amendment, which has the support of civil-liberties groups, would allow companies to share cyberthreat information only insofar as it's "necessary to describe or identify" a handful of malicious activities that hackers generally engage in. It would also narrow the definition of cyberthreats by requiring that companies only share information about activities "reasonably likely" to result in harm.

But the more restrictive definitions of threats and indicators could be stumbling blocks for businesses that want to participate in the sharing program, says Matt Eggers, senior director of national-security programs at the U.S. Chamber of Commerce, which has been active in supporting cyberinformation-sharing legislation for years.

"In a lot of ways, if you're dealing with cyberthreat indicators, it may take a while to figure out if there is real harm or potential harm," Eggers said. "If you have to wait until you know with near-certainty or at least a high level of confidence that harm is being done or could be done, time will have elapsed, and I think that's the issue there."

3. Restates voluntary nature of private-sector sharing.

CISA's sponsors and supporters say the bill's information-sharing platform would be voluntary, because it uses only incentives to get businesses to participate, but the bill's opponents say the way the incentives are laid out all but forces companies to engage with the government.

The existing pilot information-sharing program, run through DHS, requires companies to send the government cyberthreat information if they wish to receive information from other participants. According to Amie Stepanovich, U.S. policy manager at Access, a digital human-rights organization, staying out of the loop is too high a price to pay not to share with the government.

"Companies will be forced to participate simply to keep up with their participating competitors," Stepanovich wrote in a Wired op-ed last week. "Not to comply might actually harm their corporate interests and put their customers at risk."

One of two amendments offered by Sen. Jeff Flake reinforces the voluntary nature of the information-sharing program when private companies share information with one another, but Stepanovich says the Flake amendment does not address the likelihood that the government will require all participants to share cyberthreat information.

"Once you get into contract negotiations, there are a lot of ways you can push entities entering into the contract into sending information," Stepanovich said in an interview this week. "It becomes very likely that once they're in these negotiations that the company is going to be roped into a contractual agreement that will have them sending information to the government."

PRIVACY

4. Requires companies to remove personal information "to the extent feasible."

The business and civil-liberties communities strongly disagree over whether the current version of CISA would result in individual Americans' personal information being shared with the government inappropriately.

New America released a breakdown last week of the sorts of personal information that the group says would end up in the cyberthreat indicators that businesses are expected to share. The information the think tank identified includes IP addresses, MAC addresses, emails, documents and media files, and users' Web traffic.

The U.S. Chamber of Commerce has been working to counter those claims by putting out informational flyers through a cybersecurity coalition made up of dozens of U.S. trade groups.

"Some privacy and civil liberties groups perpetuate the falsehood that personal information is typically necessary to identify cyber threats," read a recent Chamber flyer. "This position is inaccurate and being used to oppose needed cybersecurity information-sharing legislation."

The pro-business group says the amount of personal information that would be shared is very limited, and will rarely be traceable to its source. The informational flyer says cyberthreat indicators "in the vast majority of cyber incidents do not implicate a person's behavioral, financial, or social information."

It's no surprise that the amendment that would most aggressively increase CISA's privacy protections was put forward by Wyden, the Democrat from Oregon who once called the proposed legislation a "surveillance bill by another name."

The Wyden amendment would strengthen the requirement that private companies remove sensitive personal information before sharing cyberthreat indicators. The amendment would allow companies to include personal information in the data they share only if the information is necessary to identify or describe a threat, and require them to scrub personal data "to the extent feasible."

CISA opponents have targeted this amendment as the most important must-pass change to the bill. "This is a significant front-end protection that would really improve not only the privacy concerns in the bill, but also the operational effectiveness, because what it's going to do is it's going to better curate the threat data that's shared," said Greene.

But Eggers, of the Chamber of Commerce, says businesses are constantly on the lookout for vague or subjective language that eludes easy interpretation—and he says the Wyden amendment falls into that trap.

"'To the extent feasible,' I think, is going to wrap lawyers, security professionals, and others around the axle in terms of whether or not they've removed information sufficiently," Eggers said.

5. Requires companies to remove personal information if they "reasonably believe" it's unrelated.

Sen. Dean Heller put forward an amendment that, like Wyden's, would require companies to remove personal information from cyberthreat indicators they share if they "reasonably believe" the information does not relate directly to a threat. While the Heller amendment imposes less stringent restrictions on businesses than the Wyden amendment, it still lacks the "legal certainty" Eggers says businesses want.

6 and 7. Require DHS to remove personal information before sharing with other government agencies.

A pair of amendments put forward by Delaware's two Democratic senators, Christopher Coonsand Thomas Carper, are also geared toward scrubbing personal information from cyberthreat indicators. But rather than putting the burden on companies, both are designed to push DHS to remove the personal information before sharing it with other government agencies.

The Coons and Carper amendments are aimed at the same goal as the other attempts to keep sensitive information out of cyberthreat indicators, but since CISA would allow businesses to share directly with any federal agency, there would remain ways for personal information to make its way into government systems.

LIABILITY

8. Prevents businesses from using CISA liability protections to break user agreements.

An amendment put forward by Sen. Rand Paul—the only one out of the dozen offered by the Kentucky Republican that will get a vote—targets CISA's liability protections, the main tool the legislation uses to get businesses to participate.

Paul's proposal would limit the liability protections extended to businesses so that companies would remain bound to the privacy agreements they enter into with their customers.

The provision is supported by privacy advocates for its encouragement of transparency, but opposed by businesses who are looking for the widest liability protections possible.

"If liability protection is removed or thrown into question, businesses will say, 'We just don't have a good bill here. It doesn't do any good for me when I'm battling—let's face it—the Chinese, North Koreans, the Iranians, the Russians, or cybercriminals,'" Eggers said.

OVERSIGHT

9. Implements a six-year sunset.

One proposal from Flake and Franken would set a six-year timer after which the bill would sunset. Congress would at that point have to reauthorize the bill and would have a chance to tweak it.

10. Requires government to notify individuals about improper sharing.

A second amendment from Wyden would require the government to notify individuals whose personal information was improperly shared or revealed.

11. Removes FOIA exemption.

A change proposed by Leahy would remove a part of the bill that exempts information shared through the program from Freedom of Information Act requests (but privacy advocates say most of the information would already be covered under standing exemptions).

12 and 13. Commission government cyber reports.

Two proposals, one from Sen. Jon Tester and another from Sen. Dan Coats, would commission government reports on cybersecurity.

Tester's amendment would require the government to report the number of threat indicators and defensive measures shared, the number of times personal information was removed, the number of times personal information was not removed but should have been, and the number of times the government used cyberthreat information to prosecute offenses not related to cybersecurity.

The amendment from Coats would commission a report on cybersecurity threats to mobile devices.

MANAGER'S AMENDMENT

14. Multiple privacy, operations, and oversight changes.

A set of changes put forward by the cosponsors of CISA, Sens. Dianne Feinstein and Richard Burr, makes basic changes that have the support of all sides. The manager's amendmentincludes changes to what can be shared, how shared information can be used, and how companies would be allowed to defend themselves against cyberthreats, and it would further curb exemptions from FOIA requests.

The changes from Feinstein and Burr put to rest some of the issues the privacy community was most worried about by allowing information-sharing only for cybersecurity purposes, and removing an authorization that would have allowed law enforcement to use cyberthreat information to pursue violent felons.

OTHER

15. Increases punishments for cybercrimes.

An amendment from Sen. Sheldon Whitehouse has raised alarm from privacy advocates for expanding penalties for violating the Computer Fraud and Abuse Act. That law, which makes accessing protected computers and networks illegal, has long come under fire for punishing low-level computer crimes and for discouraging legitimate security research.

The Whitehouse amendment to CISA would allow a zealous prosecutor to seek up to 20 years of prison time for an individual who harms a computer connected to "critical infrastructure," a term broadly defined by the Patriot Act.

16. Eases clearance process for committee staffers.17. Establishes small-business cyber center at DHS.

Sen. David Vitter has two offerings in the mix: The first would make it easier for members on Senate committees that handle sensitive information to get at least one staffer a security clearance, and the second would establish resources for small-business cybersecurity within DHS.

18. Requires Department of State to write international cyber policy.19. Mandates reports on foreign governments' cybercrime efforts.

A pair of amendments from Sens. Cory Gardner and Mark Kirk have to do with international cybersecurity policy. Gardner's amendment would require the secretary of State to draw up a "comprehensive strategy relating to United States international policy with regard to cyberspace" and make parts of it publicly available. Kirk's amendment would push the secretary of State to consult with governments of countries that are home to cybercriminals to determine how those criminals are being pursued.

20. Extends Privacy Act rights to allied countries' citizens.

An amendment offered by Sen. Chris Murphy extends the rights in the Privacy Act to U.S. allies, which would allow foreign citizens to challenge the way their private information is used in American courts.

21. Increases funding for OPM cybersecurity.

Sen. Barbara Mikulski put forward an amendment that would appropriate $37 million to the Office of Personnel Management to boost its cybersecurity efforts, a reaction to the devastating data breaches at that agency last year.

22. Authorizes DHS to introduce government-wide cyberdefenses.

And an amendment from Carper would tack on an entire bill—the Federal Cybersecurity Enhancement Act, a version of which Carper has offered as a standalone before—that would authorize DHS to roll out a cyberdefense system called Einstein to every federal agency.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.