Congress has moved to improve the nation's defenses against hackers, but in this particular fight, lawmakers and Silicon Valley don't see eye to eye.
In response to the recent barrage of data breaches targeting government agencies and businesses, the Senate approved a measure Tuesday that encourages companies to share cyberthreat information with the government, granting businesses legal protection if they choose to participate. The bill passed with a vote of 74–21, but many web companies stand against the measure, believing it does too little to ensure their customers' privacy, undermining consumer trust.
Known as the Cybersecurity Information Sharing Act (CISA), the bill represents the Senate's most ambitious effort yet to thwart cyberattacks.
CISA works by establishing a central cybersecurity portal within the Department of Homeland Security, where companies like Facebook, Google, and Microsoft can voluntarily share threat information. That data, stripped of personal information, can be collected and passed to other government agencies and private businesses.
CISA's supporters say increased information sharing will aid law enforcement efforts to prosecute cybercrime and help companies secure sensitive consumer data. Proponents have the backing of the Obama administration and a bipartisan majority in the House of Representatives, which approved CISA companion bills earlier this year.
"The challenges posed by cyberattacks are real and they are growing," Majority Leader Mitch McConnell said on the Senate floor Tuesday. CISA's "voluntary information sharing provisions are key to preventing cyberattacks and protecting the personal information of the people we represent."
Critics of CISA, including a vocal faction of technology companies like Apple, Twitter, and Reddit, have publicly taken a stand against the bill, citing a lack of privacy protections. Others, like Sen. Ron Wyden, dispute CISA's efficacy as a cybersecurity tool and liken its information sharing incentives to a new, invasive surveillance law.
Sen. Wyden, along with Sens. Rand Paul, Patrick Leahy, and Al Franken, were among a group of lawmakers who sought to amend CISA through privacy-enhancing measures. Proposals to restrict the types of consumer information that can be shared, and the removal of a blanket Freedom of Information Act exemption on the shared data, all failed.
Sen. Richard Burr, one of the co-sponsors of CISA, said on the Senate floor Tuesday that the bill is the product of several years of careful bipartisan work and strikes the right balance of privacy protections and heightened security. Supporters describe CISA as legislation urgently needed, with financial data, personal identities, and national security at stake. Evoking the massive data breaches at Sony, Home Depot, and the Office of Personnel Management, where the social security numbers and fingerprints of millions of government employees were stolen, CISA's backers depicted a vulnerable world without the bill.
Sen. Burr specifically addressed the companies that are opposed to CISA, saying, "You might not like the legislation, but for goodness' sakes do not deprive every other business in America from having the opportunity to have this partnership."
Along with his co-sponsor Sen. Dianne Feinstein, Sen. Burr highlighted in the final days of debate the broad support CISA enjoys from the private sector, and their accommodations to privacy of the bill.
Now that the upper chamber has approved CISA, members appointed by the Senate and the House will negotiate discrepancies between the differing versions. A final vote on the bill will take place before hitting President Obama's desk.