The U.S. Senate is scheduled to consider early Tuesday the Cybersecurity Information Sharing Act of 2015, a controversial bill that is intended to encourage businesses to share information about cyberthreats with the government by providing them immunity from customer lawsuits.
The CISA bill has been criticized by civil rights groups and some companies in the technology industry, which claim the proposed legislation, dubbed a surveillance bill in disguise, provides loopholes for government intelligence agencies like the National Security Agency to get access to personal information of users.
The bill has powerful backers though, including industry groups, many lawmakers and the White House, which believe the legislation is necessary in the wake of a large number of recent cyberattacks on companies and government agencies.
Of particular concern to privacy groups is a provision in CISA that allows for the direct sharing of information with agencies without the Department of Homeland Security performing its traditional lead role in this regard. The DHS opposed this provision in a letter in July to Senator Al Franken, a Democrat from Minnesota, saying it would be inefficient and affect user privacy.
The administration of President Barack Obama has backed the sharing of cyberthreat information with the federal government but said it would support it being routed through the DHS and then disseminated in “real-time” to other agencies with appropriate privacy protections. The provision for real-time sharing has been criticized by privacy groups as there is concern that current DHS privacy protections won’t be applied to the information.
The Senate will convene at 10:00 am on Tuesday and consider amendments to the bill, which have been proposed by both its backers and opponents. Senator Ron Wyden, a Democrat from Oregon and a strong privacy advocate, has proposed an amendment to improve the requirements relating to removal of personal information from cyberthreat indicators before sharing.
In contrast, Senator Tom Cotton, a Republican from Arkansas, will push for liability protection for businesses that share cyberthreats with the Federal Bureau of Investigation and the Secret Service. This amendment will likely prove to be divisive as it would run counter to the views of the Obama administration and those of privacy advocates over the intermediary role of the DHS.
Cotton wants to allow businesses that have established threat-sharing relationships with the FBI or Secret Service “to maintain their existing channels for sharing without incurring significant costs and delays to establish new ones with DHS.”
After considering the amendments, the Senate could try to pass the bill. Fight For the Future, an advocacy group opposed to CISA, said in a Reddit AMA (Ask Me Anything) on Monday that “fortunately, CISA isn’t law yet, but it will have its final Senate vote this week and we need a dozen more senators to vote against it.” It has called on people to contact their legislators to convey their opposition to the bill.