WASHINGTON – The Senate passed a bill Tuesday aimed at improving cybersecurity by encouraging companies and the government to share information about threats. It took roughly six years to win approval for such a program.
The Cybersecurity Information Sharing Act passed by a 74-21 vote. It overcame concerns about privacy and transparency from some senators and technology companies, such as Apple and Yelp.
The Senate rejected amendments, including one addressing concerns that companies could give the government personal information about their customers. Another failed amendment would have eliminated part of the bill that would keep secret information about which companies participate and what they share with the government.
The bill's co-sponsors, Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., said the measure was needed to limit high-profile cyberattacks, such as the one on Sony Pictures last year.
"From the beginning we committed to make this bill voluntary, meaning that any company in America, if they, their systems are breached, could choose voluntarily to create the partnership with the federal government. Nobody's mandated to do it," Burr said.
Companies would receive legal protections from antitrust and consumer privacy liabilities for participating in the voluntary program.
The House passed its version of the bill earlier this year with strong bipartisan support. The two versions of the bill will need to be reconciled before being sent to the White House for the president's signature.
Sen. Ron Wyden, D-Ore., who opposed the bill, offered an amendment addressing privacy concerns, but it failed to pass. It would have required companies to make "reasonable efforts" to remove unrelated personal information about their customers before providing the data to the government.
"You just can't hand it over," Wyden said. "You've got to take affirmative steps, reasonable, affirmative steps, before you share personal information."
Senators also rejected an amendment Sen. Patrick Leahy, D-Vt., had offered that would have removed a provision to keep secret more information about materials that companies provide to the government. Leahy criticized the bill's new exemption from the U.S. Freedom of Information Act as overly broad because it pre-empts state and local public information requests, and it was added without public debate.
The Sunshine in Government Initiative, a Washington organization that promotes open government policies, urged the Senate last week to support Leahy's amendment. The AP is one of at least nine journalism groups that are members of the organization.
Despite the lengthy road to pass the Senate bill, it's unclear whether it would improve Internet security. Participation is voluntary and companies have long been reluctant to tell the U.S. government about their security failures.
"Passing the bill will have no effect on improving cybersecurity," said Alan Paller, director of research for the SANS Institute. "That's been demonstrated each time sharing legislation has been passed. The cost to companies of disclosing their failings is so great that they avoid it even if there is a major benefit to them of learning about other peoples' failings."
Senators passed an amendment by Sen. Jeff Flake, R-Ariz., that limited the bill to 10 years.
Cyberattacks have affected an increasing number of Americans who shop at Target, use Anthem medical insurance or saw doctors at medical centers at the University of California, Los Angeles.
More than 21 million Americans recently had their personal information stolen when the Office of Personnel Management was hacked in what that the U.S. believes was a Chinese espionage operation.
Sen. John McCain, R-Az., chairman of the Senate Committee on Armed Services, called the bill's passage an important first step. He noted that in the past year the United States has been attacked in cyberspace by Iran, North Korea, China and Russia and that there had been attacks against the Joint Chiefs of Staff, the Pentagon, OPM and an email hacking of the director of the Central Intelligence Agency.
The U.S. and the technology industry already operate groups intended to improve sharing of information among the government and businesses, including the Homeland Security Department's U.S. Computer Emergency Readiness Team.
"What this bill means is more internet users' personal information being funneled, will be directed to, the National Security Agency under a cybersecurity umbrella," said Greg Nojeim, senior counsel for the Center for Democracy and Technology, a Washington-based civil liberties group. "A company can't both participate in this program and promise its users that it will not volunteer their personal information to the NSA."
Presidential candidates Sen. Bernie Sanders, I-Vt., and Rand Paul, R-Ky., had opposed the bill, although Paul and fellow presidential candidates Sens. Ted Cruz, R-Texas; Marco Rubio, R-Fla., and Lindsey Graham, R-S.C., each did not vote Tuesday. The White House has said it supports the information-sharing bill.