Senate Passes Dangerous Cybersecurity Information Sharing Act

WASHINGTON, DC — Today, the Senate passed the Cybersecurity Information Sharing Act (CISA, S. 754), with a vote of 74 to 21. The bill was broadly opposed by New America’s Open Technology Institute as well as many other civil society organizations, dozens of leading security experts, tech companies and trade associations because of concerns that it would threaten security and privacy. Several amendments that would have addressed some of these communities’ significant concerns failed by narrow margins. The substantial support for increased privacy protections and effectiveness of the information sharing process shown by these votes indicates that as Congress continues to consider the Senate and House bills through a conference process, it must take these considerations into account and prioritize these reforms.

The following statement can be attributed to Robyn Greene, Policy Counsel at New America’s Open Technology Institute:

“Instead of heeding the loud warnings of security experts, tech industry leaders, and civil society that CISA will harm privacy and security, the Senate has opted to move forward on this dangerously broad bill. Cyber threats are of serious concern and are deserving of serious solutions, but passage of CISA is disappointing because it takes us further down the wrong road for cybersecurity.”

“It’s notable that so many positive amendments won such broad support. The Wyden amendment was about as close to a gold standard for privacy protection as you can get for information sharing, and it had bipartisan support from 41 members. That sends a strong message that both sides of the aisle view CISA’s privacy protections as too weak. CISA’s sponsors need to take that message with them as they begin to conference a negotiated bill with the House. After all, only 41 votes are needed to stop a negotiated bill in its tracks in the Senate.”

Today the Senate voted on the following amendments, and OTI’s analysis and position on several of those amendments is available by the hyperlink on the amendment sponsor’s name:

• Wyden Amendment on Requiring Companies to remove Personal Information (No. 2621): This amendment would have required that companies to remove personal information that is unnecessary to respond to cyber threats before sharing information with the government. The amendment failed by a vote of 41-55.

• Heller Amendment on Requiring Government to Remove Personal Information (No. 2548): This amendment would have enhanced the bill’s requirement for the government to remove personal information prior to disseminating cyber threat indicators. The amendment failed by a vote of 47-49.

• Franken Amendment to Clarify Definitions (No. 2612): This amendment would have enhanced operational effectiveness by clarifying the definitions of “cybersecurity threat” and “cyber threat indicators” to reduce the sharing of information on false positives and personal information. The amendment failed by a vote of 35-60.

• Coons Amendment on Automatic Dissemination of Information (No. 2552): This amendment would have protected personal information before it is shared between government agencies. The amendment failed by a vote of 41-54.

• Leahy Amendment to Protect Transparency (No. 2587): This amendment would have removed a new and unnecessary Freedom of Information Act exemption in the bill that would exclude information shared under CISA. The amendment failed by a vote of 37-59.

• Cotton Amendment Incentivizing Sharing with FBI (No. 2552): This amendment would have undermined situational awareness and DHS’s operational control by provided providing liability protection for sharing information directly with the FBI. The amendment failed by a vote of 22-73.