The 22 Amendments That Could Determine the Fate of the Senate’s Cybersecurity Bill

The amendments will get a vote if and when CISA comes up after recess.

Aug. 26, 2015, 5 a.m.

After a brief but heated battle, sen­at­ors packed up for sum­mer re­cess early this month without vot­ing on a key cy­ber­se­cur­ity bill. In an­noun­cing that the bill’s con­sid­er­a­tion would be delayed, Ma­jor­ity Lead­er Mitch Mc­Con­nell lined up 22 amend­ments that will get a vote when the bill comes up again in the fall, a product of in­tense ne­go­ti­ations over the bill’s fate.

The amend­ments—10 from Re­pub­lic­ans and 11 from Demo­crats, plus one from the bill’s bi­par­tis­an co-spon­sors—range widely in their goals, and they have been the sub­ject of a lob­by­ing push this month from both sup­port­ers and op­pon­ents of the Cy­ber­se­cur­ity In­form­a­tion Shar­ing Act, or CISA.

The bill sets up in­cent­ives for busi­nesses to share cy­ber­threat in­form­a­tion with the gov­ern­ment, with the goal of sup­ply­ing both with the tools and data they need to bol­ster their de­fenses. It will likely come up again after the Sen­ate re­con­venes in Septem­ber, but is just one is­sue in a tight le­gis­lat­ive sched­ule.

Here are the 22 amend­ments that could make or break the bill.


1. Of­fers li­ab­il­ity pro­tec­tion for shar­ing with FBI and Secret Ser­vice

CISA would al­low busi­nesses to share cy­ber­threat in­form­a­tion dir­ectly with any fed­er­al agency, but of­fers them li­ab­il­ity pro­tec­tion only for shar­ing with the De­part­ment of Home­land Se­cur­ity.

An amend­ment from Sen. Tom Cot­ton takes li­ab­il­ity pro­tec­tions a step fur­ther and would ex­tend them to com­pan­ies who want to share with the FBI or Secret Ser­vice.

The pro­vi­sion is a use­ful one for busi­nesses that reg­u­larly deal with data breaches. “If you think about when there’s a breach, the gov­ern­ment has re­peatedly said that it’s im­port­ant to come to law en­force­ment and work with law en­force­ment to help ad­dress that,” said An­drew Tannen­baum, cy­ber­se­cur­ity coun­sel at IBM. “One of the main en­tit­ies that a com­pany would share with in that situ­ation would be the FBI or the Secret Ser­vice, so it’s im­port­ant to in­clude that in the leg­al pro­tec­tions.”

But the Cot­ton amend­ment is also one of the most wor­ri­some for pri­vacy ad­voc­ates. Robyn Greene, policy coun­sel at New Amer­ica’s Open Tech­no­logy In­sti­tute, says the pro­pos­al has “ob­vi­ous pri­vacy and civil liber­ties con­cerns, be­cause the FBI is a do­mest­ic in­tel­li­gence and law-en­force­ment agency.” Greene says the Cot­ton amend­ment could be harm­ful to the pro­gram’s op­er­a­tions be­cause it fur­ther de­cent­ral­izes the pro­vi­sion of in­form­a­tion with­in the gov­ern­ment from the DHS hub.

2. Nar­rows defin­i­tions of cy­ber­se­cur­ity threats and in­dic­at­ors

An amend­ment put for­ward by three of the Sen­ate’s most out­spoken pri­vacy ad­voc­ates—Sens. Al Franken, Patrick Leahy, and Ron Wyden—nar­rows the defin­i­tions of cy­ber­se­cur­ity threats and the cy­ber­threat in­dic­at­ors that busi­nesses and the gov­ern­ment are al­lowed to share.

This amend­ment, which has the sup­port of civil-liber­ties groups, would al­low com­pan­ies to share cy­ber­threat in­form­a­tion only in­so­far as it’s “ne­ces­sary to de­scribe or identi­fy” a hand­ful of ma­li­cious activ­it­ies that hack­ers gen­er­ally en­gage in. It would also nar­row the defin­i­tion of cy­ber­threats by re­quir­ing that com­pan­ies only share in­form­a­tion about activ­it­ies “reas­on­ably likely” to res­ult in harm.

But the more re­strict­ive defin­i­tions of threats and in­dic­at­ors could be stum­bling blocks for busi­nesses that want to par­ti­cip­ate in the shar­ing pro­gram, says Matt Eggers, seni­or dir­ect­or of na­tion­al se­cur­ity pro­grams at the U.S. Cham­ber of Com­merce, which has been act­ive in sup­port­ing cy­ber­in­form­a­tion-shar­ing le­gis­la­tion for years.

“In a lot of ways, if you’re deal­ing with cy­ber­threat in­dic­at­ors, it may take a while to fig­ure out if there is real harm or po­ten­tial harm,” Eggers said. “If you have to wait un­til you know with near-cer­tainty or at least a high level of con­fid­ence that harm is be­ing done or could be done, time will have elapsed, and I think that’s the is­sue there.”

3. Re­states vol­un­tary nature of private sec­tor shar­ing

CISA’s spon­sors and sup­port­ers say the bill’s in­form­a­tion-shar­ing plat­form would be vol­un­tary, be­cause it uses only in­cent­ives to get busi­nesses to par­ti­cip­ate, but the bill’s op­pon­ents say the way the in­cent­ives are laid out all but force com­pan­ies to en­gage with the gov­ern­ment.

The ex­ist­ing pi­lot in­form­a­tion-shar­ing pro­gram, run through DHS, re­quires com­pan­ies to send the gov­ern­ment cy­ber­threat in­form­a­tion if they wish to re­ceive in­form­a­tion from oth­er par­ti­cipants. Ac­cord­ing to Amie Stepan­ovich, U.S. policy man­ager at Ac­cess, a di­git­al hu­man rights or­gan­iz­a­tion, stay­ing out of the loop is too high a price to pay not to share with the gov­ern­ment.

“Com­pan­ies will be forced to par­ti­cip­ate simply to keep up with their par­ti­cip­at­ing com­pet­it­ors,” Stepan­ovich wrote in a Wired op-ed last week. “Not to com­ply might ac­tu­ally harm their cor­por­ate in­terests and put their cus­tom­ers at risk.”

One of two amend­ments offered by Sen. Jeff Flake re­in­forces the vol­un­tary nature of the in­form­a­tion-shar­ing pro­gram when private com­pan­ies share in­form­a­tion with one an­oth­er, but Stepan­ovich says the Flake amend­ment does not ad­dress the like­li­hood that the gov­ern­ment will re­quire all par­ti­cipants to share cy­ber­threat in­form­a­tion.

“Once you get in­to con­tract ne­go­ti­ations, there are a lot of ways you can push en­tit­ies en­ter­ing in­to the con­tract in­to send­ing in­form­a­tion,” Stepan­ovich said in an in­ter­view this week. “It be­comes very likely that once they’re in these ne­go­ti­ations that the com­pany is go­ing to be roped in­to a con­trac­tu­al agree­ment that will have them send­ing in­form­a­tion to the gov­ern­ment.”


4. Re­quires com­pan­ies to re­move per­son­al in­form­a­tion “to the ex­tent feas­ible”

The busi­ness and civil-liber­ties com­munit­ies strongly dis­agree over wheth­er the cur­rent ver­sion of CISA would res­ult in in­di­vidu­als Amer­ic­ans’ per­son­al in­form­a­tion be­ing shared with the gov­ern­ment in­ap­pro­pri­ately.

New Amer­ica re­leased a break­down last week of the sorts of per­son­al in­form­a­tion that it says would end up in the cy­ber­threat in­dic­at­ors that busi­nesses are ex­pec­ted to share. The in­form­a­tion the think tank iden­ti­fied in­cludes IP ad­dresses, MAC ad­dresses, emails, doc­u­ments and me­dia files, and users’ web traffic.

The Cham­ber of Com­merce has been work­ing to counter those claims by put­ting out in­form­a­tion­al fly­ers through a cy­ber­se­cur­ity co­ali­tion made up of dozens of U.S. trade groups.

“Some pri­vacy and civil liber­ties groups per­petu­ate the false­hood that per­son­al in­form­a­tion is typ­ic­ally ne­ces­sary to identi­fy cy­ber threats,” read a re­cent Cham­ber fly­er. “This po­s­i­tion is in­ac­cur­ate and be­ing used to op­pose needed cy­ber­se­cur­ity in­form­a­tion-shar­ing le­gis­la­tion.”

The pro-busi­ness group says the amount of per­son­al in­form­a­tion that would be shared is very lim­ited, and will rarely be trace­able to its source. Its in­form­a­tion­al fly­er says cy­ber­threat in­dic­at­ors will “in the vast ma­jor­ity of cy­ber in­cid­ents do not im­plic­ate a per­son’s be­ha­vi­or­al, fin­an­cial, or so­cial in­form­a­tion.”

It’s no sur­prise that the amend­ment that would most ag­gress­ively in­crease CISA’s pri­vacy pro­tec­tions was put for­ward by Wyden, the Demo­crat from Ore­gon who once called the pro­posed le­gis­la­tion a “sur­veil­lance bill by an­oth­er name.”

The Wyden amend­ment would strengthen the re­quire­ment that private com­pan­ies re­move sens­it­ive per­son­al in­form­a­tion be­fore shar­ing cy­ber­threat in­dic­at­ors. The amend­ment would al­low com­pan­ies to in­clude per­son­al in­form­a­tion in the data they share only if the in­form­a­tion is ne­ces­sary to identi­fy or de­scribe a threat, and re­quire them to scrub per­son­al data “to the ex­tent feas­ible.”

CISA op­pon­ents have tar­geted this amend­ment as the most im­port­ant must-pass change to the bill. “This is a sig­ni­fic­ant front-end pro­tec­tion that would really im­prove not only the pri­vacy con­cerns in the bill, but also the op­er­a­tion­al ef­fect­ive­ness, be­cause what it’s go­ing to do is it’s go­ing to bet­ter cur­ate the threat data that’s shared,” said Greene.

But Eggers, of the Cham­ber of Com­merce, says busi­nesses are con­stantly on the lookout for vague or sub­ject­ive lan­guage that eludes easy in­ter­pret­a­tion—and he says the Wyden amend­ment falls in­to that trap.

“‘To the ex­tent feas­ible,’ I think, is go­ing to wrap law­yers, se­cur­ity pro­fes­sion­als, and oth­ers around the axle in terms of wheth­er or not they’ve re­moved in­form­a­tion suf­fi­ciently,” Eggers said.

5. Re­quires com­pan­ies to re­move per­son­al in­form­a­tion if they “reas­on­ably be­lieve” it’s un­re­lated

Sen. Dean Heller put for­ward an amend­ment that, like Wyden’s, would re­quire com­pan­ies to re­move per­son­al in­form­a­tion from cy­ber­threat in­dic­at­ors they share if they “reas­on­ably be­lieve” the in­form­a­tion does not re­late dir­ectly to a threat. While the Heller amend­ment im­poses less strin­gent re­stric­tions on busi­nesses than the Wyden amend­ment, it still lacks the “leg­al cer­tainty” Eggers says busi­nesses want.

6 and 7. Re­quire DHS to re­move per­son­al in­form­a­tion be­fore shar­ing with oth­er gov­ern­ment agen­cies

A pair of amend­ments put for­ward by Delaware’s two Demo­crat­ic sen­at­ors, Chris Coons and Tom Carp­er, are also geared to­ward scrub­bing per­son­al in­form­a­tion from cy­ber­threat in­dic­at­ors. But rather than put­ting the bur­den on com­pan­ies, both are de­signed to push DHS to re­move the per­son­al in­form­a­tion be­fore shar­ing it with oth­er gov­ern­ment agen­cies.

The Coons and Carp­er amend­ments are aimed at the same goal as the oth­er at­tempts to keep sens­it­ive in­form­a­tion out of cy­ber­threat in­dic­at­ors, but since CISA would al­low busi­nesses to share dir­ectly with any fed­er­al agency, there would re­main ways for per­son­al in­form­a­tion to make its way in­to gov­ern­ment sys­tems.


8. Pre­vents busi­nesses from us­ing CISA li­ab­il­ity pro­tec­tions to break user agree­ments

An amend­ment put for­ward by Sen. Rand Paul—the only one out of the dozen offered by the Ken­tucky Re­pub­lic­an that will get a vote—tar­gets CISA’s li­ab­il­ity pro­tec­tions, the main tool the le­gis­la­tion uses to get busi­nesses to par­ti­cip­ate.

Paul’s pro­pos­al would lim­it the li­ab­il­ity pro­tec­tions ex­ten­ded to busi­nesses so that com­pan­ies would re­main bound to the pri­vacy agree­ments they enter in­to with their cus­tom­ers.

The pro­vi­sion is sup­por­ted by pri­vacy ad­voc­ates for its en­cour­age­ment of trans­par­ency, but op­posed by busi­nesses who are look­ing for the widest li­ab­il­ity pro­tec­tions pos­sible.

“If li­ab­il­ity pro­tec­tion is re­moved or thrown in­to ques­tion, busi­nesses will say, ‘We just don’t have a good bill here. It doesn’t do any good for me when I’m bat­tling—let’s face it—the Chinese, North Koreans, the Ir­a­ni­ans, the Rus­si­ans, or cy­ber­crim­in­als,’” Eggers said.


9. Im­ple­ments a six-year sun­set

One pro­pos­al from Flake and Franken would set a six-year timer after which the bill would sun­set. Con­gress would at that point have to reau­thor­ize the bill and would have a chance to tweak it.

10. Re­quires gov­ern­ment to no­ti­fy in­di­vidu­als about im­prop­er shar­ing

A second amend­ment from Wyden would re­quire the gov­ern­ment to no­ti­fy in­di­vidu­als whose per­son­al in­form­a­tion was im­prop­erly shared or re­vealed.

11. Re­moves FOIA ex­emp­tion

A change pro­posed by Leahy would re­move a part of the bill that ex­empts in­form­a­tion shared through the pro­gram from Free­dom of In­form­a­tion Act re­quests (but pri­vacy ad­voc­ates say most of the in­form­a­tion would already be covered un­der stand­ing ex­emp­tions).

12 and 13. Com­mis­sion gov­ern­ment cy­ber re­ports

Two pro­pos­als, one from Sen. Jon Test­er and an­oth­er from Sen. Dan Coats, would com­mis­sion gov­ern­ment re­ports on cy­ber­se­cur­ity.

Test­er’s amend­ment would re­quire the gov­ern­ment to re­port the num­ber of threat in­dic­at­ors and de­fens­ive meas­ures shared, the num­ber of times per­son­al in­form­a­tion was re­moved, the num­ber of times per­son­al in­form­a­tion was not re­moved but should have been, and the num­ber of times the gov­ern­ment used cy­ber­threat in­form­a­tion to pro­sec­ute of­fenses not re­lated to cy­ber­se­cur­ity.

The amend­ment from Coats would com­mis­sion a re­port on cy­ber­se­cur­ity threats to mo­bile devices.


14. Mul­tiple pri­vacy, op­er­a­tions, and over­sight changes

A set of changes put for­ward by the co-spon­sors of CISA, Sens. Di­anne Fein­stein and Richard Burr, makes ba­sic changes that have the sup­port of all sides. The man­ager’s amend­ment in­cludes changes to what can be shared, how shared in­form­a­tion can be used, how com­pan­ies would be al­lowed to de­fend them­selves against cy­ber­threats, and it would fur­ther curb ex­emp­tions from FOIA re­quests.

The changes from Fein­stein and Burr put to rest some of the is­sues the pri­vacy com­munity was most wor­ried about by al­low­ing in­form­a­tion shar­ing only for cy­ber­se­cur­ity pur­poses and re­mov­ing an au­thor­iz­a­tion that would have al­lowed law en­force­ment to use cy­ber­threat in­form­a­tion to pur­sue vi­ol­ent felons.


15. In­creases pun­ish­ments for cy­ber­crimes

An amend­ment from Sen. Shel­don White­house has raised alarm from pri­vacy ad­voc­ates for ex­pand­ing pen­al­ties for vi­ol­at­ing the Com­puter Fraud and Ab­use Act. That law, which makes ac­cess­ing pro­tec­ted com­puters and net­works il­leg­al, has long come un­der fire for pun­ish­ing low-level com­puter crimes and for dis­cour­aging le­git­im­ate se­cur­ity re­search.

The White­house amend­ment to CISA would al­low a zeal­ous pro­sec­utor to seek up to 20 years of pris­on time for an in­di­vidu­al who harms a com­puter con­nec­ted to “crit­ic­al in­fra­struc­ture,” a term broadly defined by the Pat­ri­ot Act.

16. Eases clear­ance pro­cess for com­mit­tee staffers

17. Es­tab­lishes small-busi­ness cy­ber cen­ter at DHS

Sen. Dav­id Vit­ter has two of­fer­ings in the mix: The first would make it easi­er for mem­bers on Sen­ate com­mit­tees that handle sens­it­ive in­form­a­tion to get at least one staffer a se­cur­ity clear­ance, and the second would es­tab­lish re­sources for small-busi­ness cy­ber­se­cur­ity with­in DHS.

18. Re­quires De­part­ment of State to write in­ter­na­tion­al cy­ber policy

19. Man­dates re­ports on for­eign gov­ern­ments’ cy­ber­crime ef­forts

A pair of amend­ments from Sen. Cory Gard­ner and Sen. Mark Kirk have to do with in­ter­na­tion­al cy­ber­se­cur­ity policy. Gard­ner’s amend­ment would re­quire the sec­ret­ary of State to draw up a “com­pre­hens­ive strategy re­lat­ing to United States in­ter­na­tion­al policy with re­gard to cy­ber­space” and make parts of it pub­licly avail­able. Kirk’s amend­ment would push the sec­ret­ary of State to con­sult with gov­ern­ments of coun­tries that are home to cy­ber crim­in­als to de­term­ine how those crim­in­als are be­ing pur­sued.

20. Ex­tends Pri­vacy Act rights to al­lied coun­tries’ cit­izens

An amend­ment offered by Sen. Chris Murphy ex­tends the rights in the Pri­vacy Act to U.S. al­lies, which would al­low for­eign cit­izens to chal­lenge how their private in­form­a­tion is used in Amer­ic­an courts.

21. In­creases fund­ing for OPM cy­ber­se­cur­ity

Sen. Bar­bara Mikul­ski put for­ward an amend­ment that would ap­pro­pri­ate $37 mil­lion to the Of­fice of Per­son­nel Man­age­ment to boost its cy­ber­se­cur­ity ef­forts, a re­ac­tion to the dev­ast­at­ing data breaches at that agency last year.

22. Au­thor­izes DHS to in­tro­duce gov­ern­ment-wide cy­ber­de­fenses

An amend­ment from Carp­er would tack on an en­tire bill—the Fed­er­al Cy­ber­se­cur­ity En­hance­ment Act, a ver­sion of which Carp­er has offered as a stan­dalone be­fore—which would au­thor­ize DHS to roll out a cy­ber­de­fense sys­tem called Ein­stein to every fed­er­al agency.

What We're Following See More »
Mueller Agrees to Testify, but Only in Private
2 days ago
Trump Loses in Court Again
4 days ago
Trump Pulls the Plug on Infrastructure
4 days ago
Parties Go to Court Today Over Trump Banking Records
4 days ago
Tillerson Talking to House Foreign Affairs
5 days ago

"Former Secretary of State Rex Tillerson was spotted entering a congressional office building on Tuesday morning for what a committee aide told The Daily Beast was a meeting with the leaders of the House Foreign Affairs committee and relevant staff about his time working in the Trump administration. ... Tillerson’s arrival at the Capitol was handled with extreme secrecy. No media advisories or press releases were sent out announcing his appearance. And he took a little noticed route into the building in order to avoid being seen by members of the media."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.