• Looming Battle Over Cybersecurity Bill
  • August 28, 2015
  • Law Firm: McDonald Hopkins LLC - Cleveland Office
  • Majority Leader Mitch McConnell (R-Ky.) had hoped to pass a cybersecurity bill before Congress left for the August recess. The Senate recessed without a vote, but McConnell is promising cybersecurity will finally get an up or down this fall.

    The future of the bill may hang on 22 different amendments to the bill that McConnell has agreed to allow when the bill is back on the floor. The 22 amendments - 10 from Republicans, 11 from Democrats, and one from the bill's bipartisan co-sponsors - are the product of intense negotiations aimed at getting the bill out of the upper chamber.

    The bill sets up incentives for businesses to share cyber threat information with the government, with the goal of supplying both with the tools and data they need to bolster their defenses. Among the 22 amendments that will be considered are a number that could prove to make final passage easier and a number that could make final passage more difficult.

    Some of the amendments to be considered include:

    1. An amendment from Sen. Tom Cotton (R-Ark.) that would offer liability protection for sharing with FBI and Secret Service.

    CISA would allow businesses to share cyber threat information directly with any federal agency, but offers them liability protection only for sharing with the Department of Homeland Security. Cotton’s amendment takes liability protections a step further and would extend them to companies who want to share with the FBI or Secret Service.

    The provision is a useful one for businesses that regularly deal with data breaches, but it is also one of the most worrisome for privacy advocates.

    2. A Franken/Leahy/Wyden amendment that would narrow the definitions of cybersecurity threats and indicators.

    This amendment, which has the support of civil-liberties groups, would allow companies to share cyber threat information only insofar as it is "necessary to describe or identify" a handful of malicious activities that hackers generally engage in. It would also narrow the definition of cyber threats by requiring that companies only share information about activities "reasonably likely" to result in harm.

    But the more restrictive definitions of threats and indicators could be stumbling blocks for businesses that want to participate in the sharing program.

    3. An amendment from Sen. Ron Wyden (D-Ore.) that would require companies to remove personal information "to the extent feasible."

    The business and civil-liberties communities strongly disagree over whether the current version of CISA would result in individual Americans' personal information being shared with the government inappropriately.

    The Wyden amendment would strengthen the requirement that private companies remove sensitive personal information before sharing cyber threat indicators. The amendment would allow companies to include personal information in the data they share only if the information is necessary to identify or describe a threat, and require them to scrub personal data "to the extent feasible."

    CISA opponents have targeted this amendment as the most important must-pass change to the bill.

    4. An alternative amendment, being offered by Sen. Dean Heller (R-Nev.) would require companies to remove personal information from cyber threat indicators they share if they "reasonably believe" the information does not relate directly to a threat. While the Heller amendment imposes less stringent restrictions on businesses than the Wyden amendment, it still lacks the "legal certainty” that business groups want.

    An amendment being offered by Sen. Rand Paul (R-Ky.) would prevent businesses from using CISA liability protections to break user agreements.

    Paul's proposal would limit the liability protections extended to businesses so that companies would remain bound to the privacy agreements they enter into with their customers.

    The provision is supported by privacy advocates for its encouragement of transparency, but opposed by businesses that are looking for the widest liability protections possible.

    5. A Franken/Flake amendment that would implement a six-year sunset on the legislation - giving Congress an opportunity to tweak the bill during subsequent reauthorizations.

    6. An amendment from Sen. Sheldon Whitehouse (D-Conn.) that would increase punishments for cybercrimes. The amendment, which would expand penalties for violating the Computer Fraud and Abuse Act, has drawn opposition from privacy advocates. The Computer Fraud and Abuse Act makes accessing protected computers and networks illegal, but has long come under fire for punishing low-level computer crimes and for discouraging legitimate security research.

    The Whitehouse amendment to CISA would allow a zealous prosecutor to seek up to 20 years of prison time for an individual who harms a computer connected to "critical infrastructure," a term broadly defined by the Patriot Act.