Senate Cyber Security Bill Hinges On 22 Amendments
Republicans and Democrats alike want to reshape the bill, which would encourage companies to share information with the government.
After a brief but heated battle, senators packed up for summer recess early this month without voting on a key cybersecurity bill. In announcing that the bill's consideration would be delayed, Majority Leader Mitch McConnell lined up 22 amendments that will get a vote when the bill comes up again in the fall, a product of intense negotiations over the bill's fate.
The amendments—10 from Republicans and 11 from Democrats, plus one from the bill's bipartisan cosponsors—range widely in their goals, and they have been the subject of a lobbying push this month from both supporters and opponents of the Cybersecurity Information Sharing Act, or CISA.
The bill sets up incentives for businesses to share cyberthreat information with the government, with the goal of supplying both with the tools and data they need to bolster their defenses. It will likely come up again after the Senate reconvenes in September, but it's just one issue in a tight legislative schedule.
Here are the 22 amendments that could make or break the bill.
OPERATIONS
1. Offers liability protection for sharing with FBI and Secret Service.
CISA would allow businesses to share cyberthreat information directly with any federal agency, but offers them liability protection only for sharing with the Department of Homeland Security.
An amendment from Sen. Tom Cotton takes liability protections a step further and would extend them to companies who want to share with the FBI or Secret Service.
The provision is a useful one for businesses that regularly deal with data breaches. "If you think about when there's a breach, the government has repeatedly said that it's important to come to law enforcement and work with law enforcement to help address that," said Andrew Tannenbaum, cybersecurity counsel at IBM. "One of the main entities that a company would share with in that situation would be the FBI or the Secret Service, so it's important to include that in the legal protections."
But the Cotton amendment is also one of the most worrisome for privacy advocates. Robyn Greene, policy counsel at New America's Open Technology Institute, says the proposal has "obvious privacy and civil-liberties concerns, because the FBI is a domestic intelligence and law-enforcement agency." Greene says the Cotton amendment could be harmful to the program's operations because it further decentralizes the provision of information within the government from the DHS hub.
2. Narrows definitions of cybersecurity threats and indicators.
An amendment put forward by three of the Senate's most outspoken privacy advocates—Sens. Al Franken, Patrick Leahy, and Ron Wyden—narrows the definitions of cybersecurity threats and the cyberthreat indicators that businesses and the government are allowed to share.
This amendment, which has the support of civil-liberties groups, would allow companies to share cyberthreat information only insofar as it's "necessary to describe or identify" a handful of malicious activities that hackers generally engage in. It would also narrow the definition of cyberthreats by requiring that companies only share information about activities "reasonably likely" to result in harm.
But the more restrictive definitions of threats and indicators could be stumbling blocks for businesses that want to participate in the sharing program, says Matt Eggers, senior director of national-security programs at the U.S. Chamber of Commerce, which has been active in supporting cyberinformation-sharing legislation for years.
"In a lot of ways, if you're dealing with cyberthreat indicators, it may take a while to figure out if there is real harm or potential harm," Eggers said. "If you have to wait until you know with near-certainty or at least a high level of confidence that harm is being done or could be done, time will have elapsed, and I think that's the issue there."
3. Restates voluntary nature of private-sector sharing.
CISA's sponsors and supporters say the bill's information-sharing platform would be voluntary, because it uses only incentives to get businesses to participate, but the bill's opponents say the way the incentives are laid out all but forces companies to engage with the government.
The existing pilot information-sharing program, run through DHS, requires companies to send the government cyberthreat information if they wish to receive information from other participants. According to Amie Stepanovich, U.S. policy manager at Access, a digital human-rights organization, staying out of the loop is too high a price to pay not to share with the government.
"Companies will be forced to participate simply to keep up with their participating competitors," Stepanovich wrote in a Wired op-ed last week. "Not to comply might actually harm their corporate interests and put their customers at risk."
One of two amendments offered by Sen. Jeff Flake reinforces the voluntary nature of the information-sharing program when private companies share information with one another, but Stepanovich says the Flake amendment does not address the likelihood that the government will require all participants to share cyberthreat information.
"Once you get into contract negotiations, there are a lot of ways you can push entities entering into the contract into sending information," Stepanovich said in an interview this week. "It becomes very likely that once they're in these negotiations that the company is going to be roped into a contractual agreement that will have them sending information to the government."
PRIVACY
4. Requires companies to remove personal information "to the extent feasible."
The business and civil-liberties communities strongly disagree over whether the current version of CISA would result in individual Americans' personal information being shared with the government inappropriately.
New America released a breakdown last week of the sorts of personal information that the group says would end up in the cyberthreat indicators that businesses are expected to share. The information the think tank identified includes IP addresses, MAC addresses, emails, documents and media files, and users' Web traffic.
The U.S. Chamber of Commerce has been working to counter those claims by putting out informational flyers through a cybersecurity coalition made up of dozens of U.S. trade groups.
"Some privacy and civil liberties groups perpetuate the falsehood that personal information is typically necessary to identify cyber threats," read a recent Chamber flyer. "This position is inaccurate and being used to oppose needed cybersecurity information-sharing legislation."
The pro-business group says the amount of personal information that would be shared is very limited, and will rarely be traceable to its source. The informational flyer says cyberthreat indicators "in the vast majority of cyber incidents do not implicate a person's behavioral, financial, or social information."
It's no surprise that the amendment that would most aggressively increase CISA's privacy protections was put forward by Wyden, the Democrat from Oregon who once called the proposed legislation a "surveillance bill by another name."
The Wyden amendment would strengthen the requirement that private companies remove sensitive personal information before sharing cyberthreat indicators. The amendment would allow companies to include personal information in the data they share only if the information is necessary to identify or describe a threat, and require them to scrub personal data "to the extent feasible."
CISA opponents have targeted this amendment as the most important must-pass change to the bill. "This is a significant front-end protection that would really improve not only the privacy concerns in the bill, but also the operational effectiveness, because what it's going to do is it's going to better curate the threat data that's shared," said Greene.
But Eggers, of the Chamber of Commerce, says businesses are constantly on the lookout for vague or subjective language that eludes easy interpretation—and he says the Wyden amendment falls into that trap.
"'To the extent feasible,' I think, is going to wrap lawyers, security professionals, and others around the axle in terms of whether or not they've removed information sufficiently," Eggers said.
5. Requires companies to remove personal information if they "reasonably believe" it's unrelated.
Sen. Dean Heller put forward an amendment that, like Wyden's, would require companies to remove personal information from cyberthreat indicators they share if they "reasonably believe" the information does not relate directly to a threat. While the Heller amendment imposes less stringent restrictions on businesses than the Wyden amendment, it still lacks the "legal certainty" Eggers says businesses want.
6 and 7. Require DHS to remove personal information before sharing with other government agencies.
A pair of amendments put forward by Delaware's two Democratic senators, Christopher Coonsand Thomas Carper, are also geared toward scrubbing personal information from cyberthreat indicators. But rather than putting the burden on companies, both are designed to push DHS to remove the personal information before sharing it with other government agencies.
The Coons and Carper amendments are aimed at the same goal as the other attempts to keep sensitive information out of cyberthreat indicators, but since CISA would allow businesses to share directly with any federal agency, there would remain ways for personal information to make its way into government systems.
LIABILITY
8. Prevents businesses from using CISA liability protections to break user agreements.
An amendment put forward by Sen. Rand Paul—the only one out of the dozen offered by the Kentucky Republican that will get a vote—targets CISA's liability protections, the main tool the legislation uses to get businesses to participate.
Paul's proposal would limit the liability protections extended to businesses so that companies would remain bound to the privacy agreements they enter into with their customers.
The provision is supported by privacy advocates for its encouragement of transparency, but opposed by businesses who are looking for the widest liability protections possible.
"If liability protection is removed or thrown into question, businesses will say, 'We just don't have a good bill here. It doesn't do any good for me when I'm battling—let's face it—the Chinese, North Koreans, the Iranians, the Russians, or cybercriminals,'" Eggers said.
OVERSIGHT
9. Implements a six-year sunset.
One proposal from Flake and Franken would set a six-year timer after which the bill would sunset. Congress would at that point have to reauthorize the bill and would have a chance to tweak it.
10. Requires government to notify individuals about improper sharing.
A second amendment from Wyden would require the government to notify individuals whose personal information was improperly shared or revealed.
11. Removes FOIA exemption.
A change proposed by Leahy would remove a part of the bill that exempts information shared through the program from Freedom of Information Act requests (but privacy advocates say most of the information would already be covered under standing exemptions).
12 and 13. Commission government cyber reports.
Two proposals, one from Sen. Jon Tester and another from Sen. Dan Coats, would commission government reports on cybersecurity.
Tester's amendment would require the government to report the number of threat indicators and defensive measures shared, the number of times personal information was removed, the number of times personal information was not removed but should have been, and the number of times the government used cyberthreat information to prosecute offenses not related to cybersecurity.
The amendment from Coats would commission a report on cybersecurity threats to mobile devices.
MANAGER'S AMENDMENT
14. Multiple privacy, operations, and oversight changes.
A set of changes put forward by the cosponsors of CISA, Sens. Dianne Feinstein and Richard Burr, makes basic changes that have the support of all sides. The manager's amendmentincludes changes to what can be shared, how shared information can be used, and how companies would be allowed to defend themselves against cyberthreats, and it would further curb exemptions from FOIA requests.
The changes from Feinstein and Burr put to rest some of the issues the privacy community was most worried about by allowing information-sharing only for cybersecurity purposes, and removing an authorization that would have allowed law enforcement to use cyberthreat information to pursue violent felons.
OTHER
15. Increases punishments for cybercrimes.
An amendment from Sen. Sheldon Whitehouse has raised alarm from privacy advocates for expanding penalties for violating the Computer Fraud and Abuse Act. That law, which makes accessing protected computers and networks illegal, has long come under fire for punishing low-level computer crimes and for discouraging legitimate security research.
The Whitehouse amendment to CISA would allow a zealous prosecutor to seek up to 20 years of prison time for an individual who harms a computer connected to "critical infrastructure," a term broadly defined by the Patriot Act.
16. Eases clearance process for committee staffers.17. Establishes small-business cyber center at DHS.
Sen. David Vitter has two offerings in the mix: The first would make it easier for members on Senate committees that handle sensitive information to get at least one staffer a security clearance, and the second would establish resources for small-business cybersecurity within DHS.
18. Requires Department of State to write international cyber policy.19. Mandates reports on foreign governments' cybercrime efforts.
A pair of amendments from Sens. Cory Gardner and Mark Kirk have to do with international cybersecurity policy. Gardner's amendment would require the secretary of State to draw up a "comprehensive strategy relating to United States international policy with regard to cyberspace" and make parts of it publicly available. Kirk's amendment would push the secretary of State to consult with governments of countries that are home to cybercriminals to determine how those criminals are being pursued.
20. Extends Privacy Act rights to allied countries' citizens.
An amendment offered by Sen. Chris Murphy extends the rights in the Privacy Act to U.S. allies, which would allow foreign citizens to challenge the way their private information is used in American courts.
21. Increases funding for OPM cybersecurity.
Sen. Barbara Mikulski put forward an amendment that would appropriate $37 million to the Office of Personnel Management to boost its cybersecurity efforts, a reaction to the devastating data breaches at that agency last year.
22. Authorizes DHS to introduce government-wide cyberdefenses.
And an amendment from Carper would tack on an entire bill—the Federal Cybersecurity Enhancement Act, a version of which Carper has offered as a standalone before—that would authorize DHS to roll out a cyberdefense system called Einstein to every federal agency.