Security trumps privacy as Senate passes controversial cyber bill

If you value security over privacy, you might applaud the US Senate's vote Tuesday to pass the controversial Cybersecurity Information Sharing Act.

The bill allows companies to share evidence of cyberattacks with the US government, without fear of lawsuits if that information also violates your privacy. Proponents say CISA makes it easier for the government to coordinate threat information and responses across the companies and organizations that need it. Opponents, including Apple and more than 20 other leading tech companies, say the bill could give the government greater leeway to spy on US citizens.

The ayes had it on the Senate floor.

"While there is no silver-bullet solution to stopping cyberattacks, this legislation is a positive step toward enhancing our nation's cybersecurity," US Chamber of Commerce President and CEO Thomas J. Donohue said in a statement.

Minnesota Democrat Al Franken, one of the 21 senators who voted against CISA, expressed his disappointment with the bill's approval. "There is a pressing need for meaningful, effective cybersecurity legislation that balances privacy and security," he said in a statement. "This bill doesn't do that."

Apple, Twitter and Dropbox declined to comment on the passage of the bill, though they all opposed the bill before its passage.

The vote Tuesday helps usher in the end of a five-year struggle to encourage companies to share information about cyberthreats with the Department of Homeland Security. CISA was first introduced in 2014 but failed to reach the Senate before that session of Congress ended. Two years ago, the Cyber Intelligence Sharing and Protection Act (CISPA) was approved by the House, but died in the Senate.

President Barack Obama said he supports the bill.

High-profile cyberattacks on government agencies and companies such as Sony Pictures, United Airlines and extramarital affairs site Ashley Madison might have prompted the Senate to approve the bill, security experts say.

"With security breaches like T-Mobile, Target, and [the US government's Office of Personnel Management] becoming the norm, Congress knows it needs to do something about cybersecurity," Mark Jaycox of the Electronic Frontier Foundation said in a statement Tuesday. "It chose to do the wrong thing."

At issue is the fact that CISA allows companies to share information directly with law enforcement and intelligence organizations. What's especially troubling, critics say, is that the information can include email, text messages and other data that can identify individuals. Companies are supposed to delete that information before they send it, but there's always the chance that our "personal identifiers" could still slip through.

The US Department of Homeland Security acknowledged that the bill "raises privacy and civil liberties concerns," given provisions for sharing cyberthreat information without delay or modification.

"While DHS aims to conduct a privacy scrub quickly so that data can be shared in close to real time, the language [of the bill] as currently written would complicate efforts to do so," Alejandro Mayorkas, deputy secretary of the agency, wrote in a letter to Franken.

After the vote Tuesday, NSA whistleblower Edward Snowden tweeted a pointer to the names of the senators who approved the bill.

CISA now heads to a Congressional conference whose members will match the passed Senate and House bills before sending the legislation to Obama's desk.