UPDATE Wednesday, Dec. 16: Congress has folded the final version of CISA into an omnibus spending bill that will almost certainly be passed. Here's our look at the final version.
UPDATE Wednesday, Oct. 28: CISA passed the Senate yesterday, and the bill will be reconciled with two companion House bills before being sent to President Obama for his expected signature. We're writing up an analysis and will publish that shortly.
After a couple of false starts, the Cybersecurity Information Sharing Act of 2015 (CISA) finally reached the floor of the United States Senate for debate this week. The controversial cybersecurity bill is meant to let private companies share data with the federal government, and each other, about information-security threats and attacks — without running the risk that they could be sued or prosecuted for breaking privacy-protection or antitrust laws.
Proponents argue CISA is needed because most of the U.S. network infrastructure, and most of the sensitive information stored on computer servers, lies in private hands. Hence, the companies that own those networks and servers should be able to freely share threat information, and that the federal government should be involved because it can coordinate threat response across the Internet.
Opponents counter that CISA gives too much immunity to corporations, does not properly protect the private information of individuals, paves the way for misuse of personal data and could justify mass surveillance.
Amendments to the bill are currently being debated, and a floor vote is expected the week of Oct. 25. Here's everything you need to know about CISA, so that you can make up your own mind.
The issue of creating legal immunity for information-sharing has come up before. In 2012, the Cyber Intelligence Sharing and Protection Act (CISPA) made it through the House, but died in the Senate after the White House threatened a presidential veto. Many Silicon Valley firms backed CISPA, but political-action groups on both left and right said it threatened Internet freedom and personal privacy.
CISA is seen by its proponents as a "better" version of CISPA that takes more safeguards to protect personal data. Unlike its predecessor, it has the support of the White House, but many technology firms that had initially backed it, such as Apple, now seem to be changing their minds.
CISA was first introduced in July 2014 by Sen. Dianne Feinstein, D-Calif., vice chairwoman of the Senate Intelligence Committee, but failed to reach a floor vote before the end of the 113th Congress. It was re-introduced, in slightly modified form, in March 2015 by Intelligence Committee Chairman Richard Burr, R-N.C. Both versions were overwhelmingly approved by the Intelligence Committee, with Sen. Ron Wyden, D-Ore., as the sole current committee member voting against.
What CISA would do
In an opinion piece published in the San Jose Mercury News in July 2014, Feinstein said CISA "allows companies to share information for cybersecurity purposes."
CISA creates a system for federal agencies (including the departments of Defense, Homeland Security, Justice, and the Director of National Intelligence) to receive threat information from private companies, while providing legal immunity from privacy and antitrust laws to the companies that provide such information.
Under CISA, a private company would be able to give the government or other companies "cyberthreat indicators," or evidence of what suspected hackers had been doing, without fear that personal or private information exposed during the disclosure of those indicators would be used in criminal or civil complaints against the company.
The threat indicators might be useful for government agencies to stop an ongoing attack, or similar attacks in the future. The bill says all reporting by private companies would be entirely voluntary.
In her opinion piece, Feinstein said that CISA "is not an intelligence collection bill and doesn't alter requirements for conducting surveillance."
"Furthermore," she added, "the government is barred from using information shared with it for any regulatory action or criminal investigations not relating specifically to cybersecurity."
Roughly 100 amendments have been proposed for CISA, and the Intelligence Committee has consolidated many of them into a single Manager's Amendment. Another 21 amendments, 11 from the Democratic side and 10 from the Republican one, will be debated until early next week.
Those amendments are a compromise after a bit of political drama in June 2015. According to an article in Politico, the Senate Republican leadership tried to attach CISA to a defense bill, without considering all proposed amendments, including some that would have strengthened privacy protections.
Democrats and some Republicans felt the GOP leadership was trying to rush the bill through and banded together to keep it separate from the defense bill.
Senate Majority Whip John Cornyn, R-Texas, blasted the blockers as "irresponsible."
"I am astonished that just after, what, 4 million Americans' records have been hacked at the Office of Personnel Management," Cornyn said, "that they would not recognize the cyber threat as real and something we need to deal with."
The arguments for CISA
CISA's supporters say the bill would help all parties deal with cyberthreats more effectively. Under CISA, if a company detected suspicious items or activity, such as spy software that records passwords or software that lets hackers enter a protected system, that company could directly contact government officials.
The current text of CISA says that the data can be shared with the Department of Homeland Security (DHS), and from there, DHS will share the information "in real time" with any federal agency or department, as long as it pertains directly to a cybersecurity matter.
There are some loopholes. Non-cybersecurity information can also be shared without liability if it involves "imminent threat of death, serious bodily harm, or serious economic harm, including a terrorist act or a use of a weapon of mass destruction," "serious threat to a minor, including sexual exploitation and threats to physical safety" or many other major crimes, including serious violent felonies, fraud, identity theft, espionage, censorship and theft of trade secrets.
However, the text also reads that shared information can be used only in a manner that "protects from unauthorized use or disclosure any cyber threat indicators that may contain personal information of or identifying specific persons." It also mandates that the privacy and civil-liberties effects of CISA be reviewed and reported on every two years.
Asked in March, after having reintroduced CISA in the Senate, whether the bill would have thwartedrecent breaches of security such as those at Anthem Inc., Sony Pictures and JPMorgan Chase, Intelligence Committee Chairman Burr said the legislation would have helped with damage control.
"The truth is, would have happened, but we might have minimized the loss because of the response time that we could have provided those companies," Burr said in an interview with Bloomberg TV. "More importantly, the fears that existed with other health-care-data companies, or with other financial companies, they would have also been clued in by the federal government immediately. We would have made sure than no intrusions hit their systems."
CISA has received the backing of many heavy hitters in the technology industry. In July, the Information Technology Industry Council, a trade group that includes Adobe, AOL, Apple, Facebook, Google, HP, IBM, Intel, Microsoft, Samsung, Sony, Symantec, Twitter and Yahoo among its members, urged the Senate to pass CISA and implied it would keep track of which congressmen voted for and against the bill.
Other organizations in favor of CISA include the National Cable & Telecommunications Association, the Financial Services Roundtable and the United States Chamber of Commerce.
"Cyberattacks are being launched on a daily basis from various sources, and CISA would help companies achieve timely and actionable situational awareness, which will improve the business community, and the nation's detection, mitigation and response capabilities," Ann Beauchesne, senior vice president of National Security and Emergency Preparedness at the U.S. Chamber of Commerce, told Tom's Guide.
The arguments against CISA
Apple and Twitter have since changed their minds about CISA, and both have released strong statements opposing the bill.
"The trust of our customers means everything to us and we don't believe security should come at the expense of their privacy," Apple told the Washington Post.
"Security and privacy are both priorities for us and therefore we can't support #CISA as written," tweeted Twitter's official @policy account. "We hope to see positive changes going forward."
Another flip-flopper has been BSA The Software Alliance. In September, the top lawyers for 13 tech companies that are members of the alliance, including Adobe, Apple, IBM, Microsoft and Symantec, sent congressional leaders a letter urging "prompt House and Senate action" on five pending pieces of legislation.
Notably, however, the BSA letter did not mention CISA by name, instead referring to "cyber threat information sharing legislation [that] will promote cybersecurity and protect sensitive information." The next month, the group clarified its position to state that "BSA does not support any of the three current bills pending before Congress, including the Cybersecurity Information Sharing Act."
The Computer and Communications Industry Association, whose members include Amazon, eBay, Facebook, Google, Microsoft, Netflix and Yahoo, last week said that while it agreed with the bill's aims, it was "unable to support CISA as it is currently written" and "looks forward to working with Congress to improve CISA and other related cybersecurity bills."
Other opponents of CISA say the bill's privacy protections are too vague, and that it gives legal immunity to companies even if they share users' private information. Some say it's actually a surveillance bill in disguise.
"At its core, it's more about surveillance than it is about cybersecurity," Nathaniel Turner, a lobbyist assistant in the ACLU's Washington Legislative Office, told Tom's Guide.
Critics contend that the bill describes cyberthreat indicators quite broadly, and includes any attribute of a cyberthreat.
"This means the information [forwarded to the government] can include email, text messages or other communications, together with personally identifiable information or PII," Turner said. "Companies are only required to scrub out this kind of PII if they know at the time of sharing that the PII is not directly related to a cybersecurity threat."
Privacy advocates say the bill would let companies freely share any collected information that had been designated as a "cyberthreat indicator" with intelligence and law-enforcement agencies, such as the FBI or the NSA.
"Such sharing will occur because under this bill, DHS would no longer be the lead agency making decisions about the cybersecurity information received, retained, or shared to companies or within the government," Mark M. Jaycox, legislative analyst for the Electronic Frontier Foundation (EFF), told Tom's Guide.
There is language in the bill that preserves DHS as the lead agency in handling data received from private companies. But in a July 2015 letter to Sen. Al Franken, D-Minn., Deputy Secretary of Homeland Security Alejandro Mayorkas argued that CISA does not explicitly state that all information pass through DHS' National Cybersecurity and Communications Integration Center (NCCIC), which, according to Mayorkas, is the federal entity best able to strip information of personally identifiable information.
That lack of specificity, Mayorkas said, means that CISA could "sweep away important privacy protections."
"DHS recommends limiting the provision in the Cybersecurity Information Sharing Act regarding authorization to share information, notwithstanding any other provision of law, to sharing through the DHS capability housed in the NCCIC," Mayorkas wrote.
"The provisions grant the government far too much leeway in how to use the information for non-cybersecurity purposes," Jaycox said.
He added that the public would not even know what information is being collected, shared or used because the bill will exempt all of it from disclosure under the Freedom of Information Act.
The ACLU's Turner fears that CISA could be used for investigations and prosecutions relating to the Espionage Act.
"It is the most troubling piece of this bill," Turner said. "The Espionage Act has been used in many cases against whistleblowers, and even journalists, like James Rosen of Fox News."
One of many issues the EFF believes needs to be addressed is how the government stores information collected under CISA.
"The bill doesn't address problems like government storing information in unencrypted files, un-updated servers and employees (or contractors) clicking malware links," Jaycox said.
The grand finale — almost
As this story was written, the full Senate was debating amendments to CISA, and Senate Majority Leader Mitch McConnell, R-Ky., a strong proponent of CISA as written, expects to bring the finished legislation to a floor vote sometime next week.
Politico reports concern that an amendment proposed by Sen. Tom Cotton, R-Ark., might end up killing CISA if it were to be included. The amendment would remove DHS as the gatekeeper of shared information, and let companies contact the FBI or the Secret Service directly — which might prompt a White House veto.
Depending on which amendments end up being approved, the final CISA bill may or may not require specific privacy-protection methods, and may or may not explain how the government will prevent the misuse of shared data containing personal information. Privacy advocates say until those guidelines are formalized, they will continue to doubt the benefits of the bill.