Senate Passes Cyber Bill, Ducking Privacy Fears for Now

Des­pite howls of protest from pri­vacy ad­voc­ates, the Sen­ate on Tues­day passed le­gis­la­tion aimed at bol­ster­ing the na­tion’s de­fenses against hack­ers.

The Cy­ber­se­cur­ity In­form­a­tion Shar­ing Act, or CISA, passed the Sen­ate 74-21.

Since the House earli­er this year passed two dif­fer­ent ver­sions of a cy­ber-in­form­a­tion-shar­ing bill, law­makers from the Senate and House will have to come to­geth­er in a con­fer­ence to align their ver­sions of the le­gis­la­tion in­to a fi­nal, uni­fied ver­sion of the bill that will need to be passed again by both cham­bers be­fore it can be signed in­to law.

Op­pos­i­tion to the bill, which would provide in­cent­ives to private busi­nesses to share in­form­a­tion about on­line threats with each oth­er and with the fed­er­al gov­ern­ment, was led by the Sen­ate’s pri­vacy hawks—Ron Wyden, Patrick Leahy, and Al Franken—and backed by civil liber­ties groups and tech com­pan­ies who were un­happy with the bill’s pri­vacy pro­tec­tions.

But CISA’s co­spon­sors, Sens. Richard Burr and Di­anne Fein­stein, with the sup­port of two hugely in­flu­en­tial trade groups in the U.S. Cham­ber of Com­merce and the Fin­an­cial Ser­vices Roundtable, ral­lied sen­at­ors around their bill, call­ing it a ne­cessary but in­cre­ment­al step to­ward pre­vent­ing massive data breaches like the ones that af­fected Sony Pic­tures En­tertainment and the Of­fice of Per­son­nel Man­age­ment over the last year.

Be­fore leav­ing for a month­long re­cess in Au­gust, sen­at­ors set up 22 amend­ments to get votes along­side the bill. Burr and Fein­stein fol­ded a num­ber of amend­ments that they sup­por­ted in­to a man­ager’s pack­age, which tweaked the bill with a limited in­crease in pri­vacy pro­tec­tions, but left about a dozen oth­ers that they did not sup­port to get in­di­vidu­al votes.

Related: Even DHS Doesn’t Want the Power It Would Get Under CISA

On Tues­day morn­ing, sen­at­ors con­sidered a num­ber of amend­ments that would have bolstered the bill’s pri­vacy pro­tec­tions. The pro­posed changes would have tightened mech­an­isms for re­mov­ing sens­it­ive per­son­al in­form­a­tion from the threat in­dic­at­ors that would be shared un­der the pro­gram, spe­cified the kind of in­form­a­tion that could be con­sidered threat­en­ing enough to be shared, and made cer­tain in­form­a­tion avail­able to Free­dom of In­form­a­tion Act re­quests.

The Sen­ate voted down all of the pri­vacy of­fer­ings.

The day’s votes caught the eye of Ed­ward Snowden, who took to Twit­ter to push for the pri­vacy changes, and, when they were voted down, to shame the law­makers who voted against them.

Be­fore tak­ing up the bill and vot­ing on fi­nal pas­sage, two more in­di­vidu­al amend­ments got a vote, in­clud­ing an es­pe­cially con­tro­ver­sial change from Sen. Tom Cot­ton, which pro­posed ex­tend­ing li­ab­il­ity pro­tec­tions to com­pan­ies that chose to share dir­ectly with the FBI and the Secret Ser­vice.

Burr and Fein­stein said the amend­ment would undo their work to set up the De­part­ment of Home­land Se­cur­ity as the cent­ral clear­ing­house for shared threat data, a view the White House said it shared in an of­fi­cial policy state­ment cir­cu­lated last week.

Cot­ton’s amend­ment, which Burr called a “deal-killer,” was over­whelm­ingly re­jec­ted, 73-22.

Fi­nally, sen­at­ors took up the man­ager’s amend­ment and the fi­nal bill, and passed both.

IBM, one of the busi­nesses that lob­bied in fa­vor of the bill, cel­eb­rated its pas­sage. “Today’s vote is a big win for both se­cur­ity and pri­vacy,” said Timothy Shee­hy, the com­pany’s vice pres­id­ent for tech­no­logy policy af­fairs. “Shar­ing tech­nic­al de­tails on the latest di­git­al threats is crit­ic­al to strength­en­ing Amer­ica’s cy­ber de­fenses.”

At a press con­fer­ence after the fi­nal vote, Burr and Fein­stein thanked sen­at­ors who worked with them on the bill, and lauded the bi­par­tis­an nature of its pas­sage. “What we saw in this pro­cess is the United States Sen­ate as it’s sup­posed to func­tion,” Burr said.

“On oc­ca­sion, we can defy the com­mon wis­dom that we’re totally grid­locked here in Wash­ing­ton,” ad­ded Sen. John Mc­Cain.

But pri­vacy groups vowed to keep fight­ing to boost the pri­vacy pro­tec­tions as the cy­ber­se­cur­ity le­gis­la­tion con­tin­ues through the polit­ic­al pro­cess.

“To avoid a veto, whatever emerges from the con­fer­ence com­mit­tee must be a bill that meets Pres­id­ent Obama’s pre­vi­ous stand­ards,” said Nath­an White, seni­or le­gis­lat­ive man­ager at Ac­cess, a di­git­al hu­man-rights or­gan­iz­a­tion. “The ad­min­is­tra­tion’s policy up to this point has been very clear—it has sup­por­ted CISA’s pro­cess but ex­pressed con­cerns that it is cur­rently ‘dan­ger­ous to cy­ber­se­cur­ity.’

“Today’s vote is a dis­ap­point­ment,” White ad­ded. “But it is not the end of the road.”