The Senate Has Overwhelmingly Passed CISA, a Privacy-Killing Cybersecurity Bill

The Senate passed the Cybersecurity Information Sharing Act 74-21 Tuesday, a step that clears the path forward for the highly controversial cybersecurity bill, which allows companies to share customer data with the federal government, to become a law.

The bill incentivizes companies to share "cyber threat" data with the federal government in real time. "Cyber threats" are poorly defined in the bill's language—some civil liberty experts have said that if your account has been used to send spam emails, for instance, it could lead to your information being passed to the Department of Homeland Security and then to the National Security Agency.

Oregon Senator Ron Wyden, the most vocal critic of the legislation, has said that it's a "surveillance bill," not a cybersecurity one.

Earlier Tuesday, several important amendments that would have required companies to implement strong consumer privacy protections were narrowly voted down, meaning the bill that was passed is the same one that has been slammed by Google, Apple, dozens of civil liberties organizations, and independent cybersecurity researchers around the nation.

"CISA is a nightmare dressed as a daydream; a surveillance bill masquerading as a cybersecurity bill," Nathan White, a lawyer with the civil liberties group Access, told me. "CISA is a backdoor to surveillance, giving the NSA access to more personal information for its expansive databases. CISA is fundamentally flawed because of its broad immunity clauses for companies, vague definitions, and aggressive spying powers."

Congress has attempted to pass some form of CISA for the last four years—it was originally called the Cybersecurity Information Sharing and Protection Act—but strong opposition from citizens, tech companies, and privacy organizations made it too politically dangerous to put to a vote in the Senate.

High-profile cyber attacks such as the Sony breach, Ashley Madison hack, and the Office of Personnel Management hack have put the issue of cybersecurity back in focus, however. Though most cybersecurity experts say the bill will do little to protect against future breaches, lawmakers have made it a serious issue.

Every senator supporting #CISA today voted against a world with freedom, democracy, and basic human rights. #StopCISA
— Fight for the Future (@fightfortheftr) October 27, 2015

Up until the end, call-in, email, and letter writing campaigns opposing the bill as well as strong condemnations of the legislation from civil liberties groups such as the Center for Democracy and Technology, Electronic Frontier Foundation, and Access, and major companies such as Apple and Google looked like they might have been able to kill the bill once again. Debate raged on the Senate floor for much of the last week and for seven hours Tuesday.

Nevada Sen. Dean Heller gave an impassioned plea earlier in the day to pass one of his amendments, which would have implemented stronger privacy protections in the bill, calling "the solution worse than the problem."

"Tech companies including Google and Apple all expressed the same concerns about privacy under this piece of legislation," he said. "It is our responsibility in Congress to listen to these concerns and address them."

Tom Carper, a Senator from Delaware, invoked the September 11th attacks, saying that a failure to share information could lead to catastrophic hacks.

"We did a lousy job of sharing the full truth on what was being plotted, what was going to come down and literally take thousands of lives in one day," he said. "We need to do a better job of sharing information when businesses come under attack. We need to do a better job of sharing that information business to business, business to government. We need to respond to those attacks."

The bill tentatively has President Obama's support and CISPA easily passed the House of Representatives twice before. The only serious impediment to its passage was in the Senate. Now that that hurdle has been cleared, legislation that many cybersecurity experts and Silicon Valley's most important companies hate looks like it's destined to become a law.