The Senate has soundly defeated the Paul Amendment, which backers of the cybersecurity Information Sharing Act (CISA) -- including cable operators and major financial services firms -- said would have weakened liability protections and discouraged participation.

Those protections shield companies from lawsuits for inappropriate sharing of information with each other and the government so long as it was inadvertent. Given that the cyber threat sharing allowed by the bill is voluntary, that shield is meant to encourage companies to participate.

CISA would make it easier for business-to-business, business-to-government, and government-to-business sharing of cyber threat information, with the Department of Homeland Security overseeing an automatic "portal" through which the information will pass, and ostensibly be scrubbed of any personal information that was not scrubbed by the companies, save for that information crucial to identifying and addressing the threat.

The vote was 65-32 against (thanks. C-SPAN) as the Senate continued to vote on amendments to the bill, which likely will not get a final vote until next week.

"The Paul Amendment would throw into doubt a firm’s liability protections for even an inadvertent violation of a terms of service or privacy agreement, and could subject the company to loss of its liability protections, leaving businesses open to litigation," the Financial Services Roundtable--banks, credit card companies, lenders--had argued before the vote in arguing the amendment be defeated.

Senate Intelligence Committee Chair Richard Burr (R-N.C.) said Wednesday (Oct. 21) that it looked like the Cybersecurity Information Sharing Act (CISA) would not be ready for a final vote until Monday or Tuesday of next week. 

The bill allows businesses to share cyberthreat information with each other, with the government, and for the government to share information about those threats and how to defend against them, with businesses, all in as close to real time as possible. The information would be submitted to a Homeland Security Department (automated system) portal.

The problem is the growing number of attacks on business and government and the need to flag those and share ways to stop them in as close to real time as possible.

Burr, who backs the bill, took to the Senate floor to say the bill is important, balances security and privacy, and is entirely voluntary. Companies that don't want to share their information with each other of the government don't have to, he said.

And since it is voluntary, Burr said, it incentivizes companies by giving them blanket immunity from antitrust laws to collaborate on identifying and addressing cybersecurity threats, but only for that reason, and a focused immunity from lawsuits over inadvertently sharing personal information, which must be scrubbed before data sharing unless it is vital to identifying threat. There will not be immunity for gross negligence or willful misconduct.

That came despite the adoption of a new version of the bill (in the form of a managers amendment) that included 14 amendments and 20 new provisions that another of the bill's major backers, Sen. Diane Feinstein (D-Calif.), should address many of the privacy group issues with the bill, unless they simply want to kill the bill rather than improve it, she said.

Sen. Harry Reid (D-Nev.), Senate minority leader, earlier in the day urged passage of the bill, saying it was not perfect, but it was "OK," and long overdue.

Intelligence Committee member Sen Ron Wyden (R-Ore.), who opposes the bill, said the new version still did not sufficiently protect privacy.

Burr pointed out that many big tech companies oppose the bill, but advised them to read the manager's amendment. He also pointed out that those opponents--Feinstein called out Apple, Google and Microsoft by name--are the ones that hold large amounts of personal data.

Feinstein and Burr talked extensively about why the bill was not a surveillance bill, and about all the new privacy protections that were added in the manager's amendment to make it more acceptable to privacy groups and some members who Burr argued have been opposing any legislation.

Those include that the bill no longer allows the government to use cyber threat information on non-cyber crimes, even serious violent felonies. Burr had wanted that provision, but said it was now out in the interests of accommodating the bill's critics.

According to Feinstein, the bill also now limits the authority to sharing information to cybersecurity only, and again, that information has to be scrubbed of personally identifiable information before it is shared.

It also limits defensive measures against attacks by saying that cannot include gaining unauthorized access to computer networks. Feinstein and Burr also pointed to oversight provisions, including internal IG investigations and independent oversight boards, as well as periodic reports to Congress.

On the "voluntary" issue, Burr and Feinstein pointed out that the information cannot be used by regulatory agencies against the companies that supply it, though it does direct federal agencies to report on how they prevent their own cyber intrusions.

Wyden said that while information sharing can be valuable and cybersecurity is crucial. But he said the bill is badly flawed because it does not have robust privacy standards for information sharing, which is why critics call it a surveillance bill.

Wyden said immunity from lawsuits won't stop sophisticated attacks like that of the Office of Personnel Management. He said the big criticism of the bill is its impact adverse on privacy, which outweighs the limited security benefits. He said the new bill's privacy protections are too weak. He also cited the tech companies that have come out against the bill, saying they are in the best position to know what threatens customer confidence, which he says is the bill's lack of privacy protections.

Wyden pushed for an amendment that would better insure personally identifiable information (PII) would be scrubbed.

Wyden alluded to the fallout by the EU Court to strike down the safe harbor data agreement. He said he opposes that ruling, but says this bill needs to send the right signal that the U.S. is protecting privacy, but says in its present form would do the opposite.

He called roll of companies that oppose the bill: Apple, Twitter, Yelp, as well as Google, Amazon, Facebook, Microsoft, PayPal, eBay as members of the Computer and Communications Industry Association, which say the bill does not adequately protect privacy.

An unhappy Sen. Sheldon Whitehouse (D-R.I.) complained that he could not get a vote on his amendment targeting botnets, asking if there were a pro-botnet, pro-foreign cybercriminals caucus he did not know about,  and said he did not know how he would vote on the bill.  Sen. tom Carter (D-De.) said if his amendment did not get a vote in the Senate, he would work to make sure it was brought up in conferencing with the House.

If the bill passes, it must still be conferenced with two House versions of cybersecurity legislation and get the President's signature. To that point, Burr said that the National Security Council would be coming out in support of the bill Thursday (Oct. 22).

The Senate will reconvenes this morning (Oct. 21) to continue debate on S. 754, the Cybersecurity Information Sharing Act (CISA), which allows for more sharing of cyberthreat information between businesses and with the government.

It would also allow law enforcement access to the info in cases of fraud, ID theft, or imminent harm.

The bill, which passed 14-1 out of the Senate Select Committee March 13, would make it easier for ISPs to share cyber threat indicators (CTIs) – usually computer code – and to take defensive measures to counter such attacks from botnets, viruses, malware and more.

The legislation authorizes voluntary sharing of cyber threat information between companies and with the government, with the stipulation that companies have to take "appropriate measures" to protect against sharing personally identifiable information. It includes including shielding them from legal liability for errors in that sharing so long as they were inadvertent.

Cable operators and other ISPS back the bill, while a number of privacy groups and computer companies don't, saying it is more about surveillance than boosting cybersecurity and suggesting the government has not proven to be a reliable steward of data.

The Financial Services Roundtable (FSR) has launched a D.C. media campaign to urge the Senate to pass the Cybersecurity Information Sharing Act (CISA), which would allow businesses including cable ISPs whose networks carry much of that info,  to share cyber threat information, including shielding them from liability for errors in that sharing. The Senate is expected to take up the bill as early as this week.

FSR is a trade group representing the financial services industry, which includes the banks, insurance companies, asset management, and finance and credit card companies whose information is a prime target of hackers looking to follow the money.

A spokesperson for the roundtable said the campaign would run several weeks, but had no hard end date, and would feature ads on WTOP Washington as well social media and mobile banner ads. The radio ads will run Tuesday through Thursday in morning drive.

There is also a YouTube video backing the bill (https://youtu.be/EMm04Ot2TG8), but the group is not buying TV time, simply posting and promoting. 

The ads are meant to counter the other side of the issue, privacy groups and some computer companies complaining that the bill will "sweep away" protections and "let companies off the hook" for improper sharing of personal info (the liability protection).

Cable operators, who would get that liability carve-out, support the bill. The National Cable & Telecommunications Association said last week.