Barring some potential, but unlikely, parliamentary maneuvers, the U.S. Senate will probably pass the Cybersecurity Information Sharing Act the week of Oct. 26.
The bill survived the procedural process last week, and if it’s approved by the full Senate, then Congress may consider a number of amendments intended to answer some of the most significant objections. The vote on the full bill is scheduled for Oct. 27, assuming that nothing interrupts the vote, which is always possible.
Senate rules allow members great latitude in how bills progress to an eventual vote. For example, a senator can put a hold on a bill for any number of reasons and while such a hold can be overcome by a 60-vote supermajority, that takes time and could result in the bill eventually becoming superseded by other legislation, such as approving the rise in the debt limit.
In addition, proposed amendments to the bill could be approved or they could be dismissed in their entirety in parliamentary wrangling. Because most of those amendments address concerns in the privacy aspects of the bill, such a change could also delay passage.
However the procedural vote that sent the bill to the full Senate for action passed by a lopsided 83-to-14 margin, far more than the 60-vote margin required to pass the bill. This would indicate that the votes are there to overcome any attempts to block passage, except in unusual circumstances.
Part of the reason that passage seems assured is that this is very much a bipartisan bill. The co-sponsors of CISA are the co-chairs of the Senate Intelligence Committee, Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.). In addition, the White House has expressed strong support for the bill.
The primary sticking point in CISA is privacy protections for personal identity data in information that’s shared with the government as part of a cyber-security investigation. Opponents see the sharing as a way for the National Security Agency or other government agencies to get their hands on personal information that might not otherwise be available or part of the scope of an active investigation.
Already, the Senate has rejected a proposed amendment by Senator Rand Paul (R-Ky.) that would have required companies to adhere to their stated privacy practices when turning over information to the government.
Once the bill has passed the Senate, assuming it does, it then must go to the House of Representatives. Whether the CISA bill will pass the House remains to be seen, especially considering that the body is preoccupied with electing a new speaker. Until that happens, any other legislation will be secondary and controversial legislation facing strong opposition from businesses and business lobbying groups seems sure to meet resistance in the house.
Cybersecurity Information-Sharing Bill Heading for Approval in Senate
This means that passage of CISA by both houses so it’s soon ready for the president’s signature remains questionable and will likely take an uncertain about of time. While the Senate will almost certainly pass CISA, that’s where any certainty ends.
There are many bills that have been passed by one house or other in Congress, but which have never even been considered by the other. This will give the anti-CISA lobbyists some hope beyond this week.
But looking beyond just the passage of this particular bill, the issue of CISA presents a larger problem. On one hand, cyber-security has become one of the most controversial public policy issues of our time.
As cyber-criminals get bolder, as nation-state-sponsored spying becomes ubiquitous, as losses grow and threats to citizens become greater, something clearly has to be done. To accomplish much of anything, disparate companies and government agencies need to share information as they work to fight the breaches.
But here, the challenge is how to keep the solution from being worse than the problem. Do you dare to share personal information with other companies and the government without knowing for sure what may happen to it? The CISA bill as written contains some important safeguards, and many of the amendments would seem to fill most of the other gaps. But will that work?
The U.S. Department of Justice, in its zeal to extend its power internationally, seems to have either forgotten the Fourth Amendment to the Constitution or it has found it too much of a roadblock as it ignores clear laws and international treaties prohibiting data searches it’s trying to force Microsoft to carry out.
It seems that the Justice Department would breach the Constitution that allows it to exist simply because it includes some inconvenient provisions. Is there any doubt why opponents to CISA are not persuaded by the promises of its backers?
Unfortunately, the sharing of cyber-security information in near-real time is really important to the success of any credible effort to at least keep terrorists, cyber-spies and criminals at bay. With the technical capabilities and thus the information needed to effectively counter a cyber-attack, there’s some hope of at least slowing down the occurrence of future cyber-attacks. Without that ability, those criminals can basically have their way with all of us.
The problem is striking a balance between giving government access to data while maintaining some semblance of Constitutionally guaranteed privacy rights. And this explains the opposition. Perhaps it’s time the House decides to write its own cyber-security bill, but this time to design in privacy protections from the ground up.