Senate punts cyber bill after reaching deal on amendments

Senators are punting a major cybersecurity bill to at least September after reaching an agreement Wednesday afternoon lining up the initial amendments to be offered.

The Cybersecurity Information Sharing Act (CISA), which facilitates the exchange of cyber threat information between companies and the government, is meant to help the nation prop up its faltering digital defenses.

The deal on amendments was struck just hours after it appeared negotiations might totally fall apart. Under the accord, privacy advocates will be able to offer a number of amendments without a limit on the debate time, a key provision for Senate Democrats.

{mosads}Democratic Sens. Ron Wyden (Ore.), Patrick Leahy (Vt.) and Al Franken (Minn.) will get to propose four of their desired edits.

“A couple of days ago it was my fear that this bill would be brought up — it’s a badly flawed bill — and it would be brought up with no opportunity for senators on both sides of the aisle to fix the legislation,” Wyden said on the floor just after the agreement was announced.

“There is going to be a real debate,” he added. “That’s of course what the United States Senate is all about.”

Civil liberties-minded Republican Sens. Dean Heller and Rand Paul will also get to offer one amendment each.

None of Paul’s non cyber-related amendments — including a measure to limit federal funding for immigration “sanctuary cities” and an amendment to audit the Federal Reserve — will see the floor to start. Several people with knowledge of the recent negotiations said these proposed add-ons were slowing a deal.

In total, Democrats will put forward 11 amendments, while Republicans will get to offer 10. But Senate aides said the two parties could agree to allow more amendments after wrapping up the initial set. 

While CISA supporters argue enhancing cyber threat information sharing is a necessity to better understand and repel potential cyberattacks, privacy advocates believe the bill will simply funnel more sensitive data on American citizens to government intelligence agencies.

Despite bipartisan support, a White House endorsement and industry backing, Senate leaders have been unable to move CISA for months, even after catastrophic hacks at the Office of Personnel Management (OPM) left over 22 million people’s sensitive data exposed.

Senate Majority Leader Mitch McConnell (R-Ky.) said the final pact would “set up expedited” consideration of CISA when the upper chamber returns in September.

But September is packed. Senators are facing multiple budget deadlines and a fight over the Iran nuclear deal, causing some to wonder whether lawmakers will be able to find floor time for CISA.

Senators on Wednesday said they were trying to tie the CISA amendments pact to an agreement to structure floor debate on Iran.

“We need a schedule for debate and votes on two major issues [Iran and cyber], plus we’ve got a whole September full of cliffs,” Senate Armed Services Committee Chairman John McCain (R-Ariz.) told reporters.

CISA has been stuck in the upper chamber since it cleared the Senate Intelligence Committee in March by a 14-1 vote. A jammed schedule and a toxic debate over digital privacy have sidetracked work on the measure.

Even after the House easily passed its two complementary pieces of companion legislation in April, the Senate’s measure got pulled into a bruising debate over reforming the National Security Agency (NSA) that dragged into June.

Weeks later, the OPM data breach forced Congress to shift its focus back to cybersecurity.

The cyberattacks, believed to be part of a Chinese espionage scheme, highlighted federal networks’ woefully deficient cyber defenses. Lawmakers bashed the Obama administration for sluggishly responding to years of inspector general warnings that the government’s computer systems were not safe from hackers.

In response, McConnell moved to link CISA’s language to a defense authorization bill. Democrats and a few Republicans revolted, angry they wouldn’t be allowed to amend CISA’s text, and blocked the maneuver.

With Wednesday’s deal, they now have their chance.

The privacy-minded cohort, led by Wyden, is hoping to restrict the sensitive data on Americans that might be shared with the government under the bill.

Franken’s edit, for example, would narrow the definition of “cyber threat indicator,” a broad category for the data companies will pass to federal agencies.

Wyden’s first alteration would insert stricter requirements for companies to inspect and strip personal details from cyber threat data. The second would mandate a process to notify people whose personal information may have been inappropriately shared.

Heller’s desired edit would also raise the standard on companies for removing sensitive data before sharing it with the government.

“Information sharing without vigorous, robust privacy safeguards will not be considered by millions of Americans to be a cybersecurity bill,” Wyden said. “Millions of Americans will say, ‘That legislation is a surveillance bill.’”

Sen. Barbara Mikulski (D-Md.), the top Democrat on the Senate Appropriations Committee, will also get to offer her provision that would bump up the OPM’s cybersecurity funding by $37 million between now and September 2017.

From the right, Sen. Tom Cotton (R-Ark.) will push a change that is likely to raise the ire of privacy advocates. Cotton is backing an amendment that would shield firms from legal culpability when sharing data directly with the FBI and Secret Service. As written, CISA only provides such protections when companies share data directly with the Department of Homeland Security (DHS).

Privacy advocates believe companies should only go through the DHS, which is seen as having the government’s best data privacy procedures.

With the battle lines hardening Wednesday, senators will now get at least a month to mull over which side they plan to fight for.

This story was updated at 6:10 p.m.