CISA amendment fights to begin

With help from Joseph Marks, David Perera and Adam Sneed

CISA’S GRAND ARRIVAL — The Cybersecurity Information Sharing Act made it to the floor Tuesday after a long series of fake-outs, and instantly the moving pieces began to click and whir. There was a new manager’s amendment with a number of existing proposals and a number of surprises. There was a failed bid to set up a quick floor procedure; instead, Senate Majority Leader Mitch McConnell moved to end debate with a series of cloture votes that could get CISA to the finish line by early next week. And there was a new blitz of position declarations and campaigns.


— AMENDMENTS THAT GOT IN: We’re still sussing out what some of the amendments included in the manager’s package do. In all, 14 amendments were absorbed into the bill, eight from the list of 21 that the Senate agreed to consider before the August recess.

Two of those were the subject of a fight between the Obama administration and bill sponsors over giving the Department of Homeland Security a chance to take one more swipe at removing personally identifiable information, sponsored by Sens. Tom Carper and Chris Coons. According to a staff summary of the new manager’s package, the compromise language would allow DHS to set up automated ways of scrubbing info “under certain conditions.” Carper said in a news release that the compromise ensures that DHS "can apply privacy protections to cyber threat data as it sends information to other agencies.”

Most of the new amendments require some kind of report or assessment: a study of cyber threats to emergency services, a study of the cybersecurity of the Department of Health and Human Services and the health sector, and a review of “federal computers that have access to classified information or personally identifiable information,” according to the staff summary of the new manager’s package.

— AMENDMENTS SUBJECT TO MORE SQUABBLES: The financial sector laid down markers about which amendments it opposes going forward. A joint industry letter registered objections to amendments like the one offered by Jeff Flake to sunset the bill after six years, or the one offered by Patrick Leahy to remove FOIA exemptions. Those amendments and others “could undermine the core principles of the bill.” The letter: http://bit.ly/1XiRCIu

Among privacy groups, Sheldon Whitehouse’s amendment to expand penalties under the Computer Fraud and Abuse Act was particularly unpopular, but he has modified it enough to win over hacker firm Rapid7, as Dave wrote for Pros. It’s unclear whether the changes will be enough to win over more critics. http://politico.pro/1PFrzZQ

And contrary to what a Rand Paul aide told Pro Cybersecurity early Tuesday, Paul’s amendment canceling liability protections for participating companies that violate their user agreements is not in the manager’s package – which means it should be subject to a standalone floor vote. We’ve reached out to Paul's office and will let the readers know what we find out.

— JUDICIAL REDRESS ACT MIGHT BE CISA AMENDMENT IN SENATE: More from our friends at MT: Now that the House has voted to extend certain privacy rights to major U.S. allies, tech’s lobbying push to pass the Judicial Redress Act turns to the Senate. The bill passed the House in a voice vote Tuesday, and it looks like the quickest action in the upper chamber could come as an amendment to the Cybersecurity Information Sharing Act, where it’s currently on the list of amendments to be considered. When the amendment might come up is still uncertain, but the tech set is already pushing for it to happen ASAP so a replacement to the U.S.-EU safe harbor agreement can advance.

— FAXES LOST IN ANTI-CISA CAMPAIGN: Fight for the Future says something went wrong in its fax campaign to drum up Senate opposition to CISA. In a Reddit post on Tuesday night, CTO Jeff Lyon, architect of the fax campaign, said CISA opponents generated more than 6 million faxes to Senate offices, but the majority were “lost or deleted, without ever reaching the offices of the senators.” Lyon tells Morning Technology that Sens. Ron Wyden and Brian Schatz in early September tipped the group off to the fact that the faxes never made it. The Sergeant at Arms told Lyon that the faxes weren’t being received or blocked, but a phone bill showed some calls did go through. More here: http://bit.ly/1GRuNSJ

Another campaign: Fight for the Future on Tuesday launched an “Internet Defense League” action to mobilize 15,000 websites to display alerts against CISA, similar to the protests against SOPA and other bills the websites considered a threat to Internet freedom: http://bit.ly/1XiNDM1 And Apple became the latest in an ever-growing line of tech companies opposing CISA in its current form: http://wapo.st/1OH6j6S

HAPPY WEDNESDAY and welcome to Morning Cybersecurity, where we’re not sure whether to be encouraged by the notion that marshmallow-only Lucky Charms might actually be better for you, considering that it makes us more likely than usual to buy Lucky Charms: http://nydn.us/1hRyyRA. Send your thoughts, feedback and especially your tips to [email protected] and follow @timstarks, @POLITICOPro and @MorningCybersec . Full team info is below.

HOUSE E&C WILL CONSIDER WHO HAS ‘AUTHORIZATION’ TO ALLOW CAR HACKING — A House Energy and Commerce subcommittee will hold a hearing today on a draft auto safety bill that’s drawn quick opposition from cybersecurity and privacy advocates – particularly over language establishing civil fines for car hacking conducted “without authorization” at $100,000 per incident. Many have assumed the authorization language would prohibit security researchers from investigating car computer security, which hasn’t exactly proven to be impervious to hacking. But a committee aide tells MC that lawmakers’ intent is to specify that it’s the car owner or leasee who’s in a position to grant authorization, not car manufacturers. The topic is expected to come up during the hearing, the aide said. The FTC and the NHTSA have already expressed concerns about the bill. More for Pros: http://politico.pro/1W4eAGe

SMALL BUSINESSES SET TO CRITICIZE EMV TRANSITION — The House Small Business Committee will hold the second of two hearings on the EMV liability shift today and this one is likely to produce more fireworks: http://1.usa.gov/1RfXq1z. As of Oct. 1, the liability for counterfeit card transactions will fall on whichever party hasn’t upgraded to “chip” card technology offered by the Europay-MasterCard-Visa coalition – whether it’s the merchant or the card provider.

All parties agree EMV chip cards are much more difficult to counterfeit, but some organizations have criticized the transition, either for overburdening small businesses or for not requiring both a chip card and a PIN number. Jared Scheeler, who owns four convenience stories in North Dakota and is testifying on behalf of the National Association of Convenience Stores, plans to say it’s cost him $134,500 so far to upgrade to the new system, according to an advance press release shared with MC. U.S. Public Interest Research Group Consumer Program Director Ed Mierzwinski, a chip and PIN advocate, plans to say that instead of the “best available technology, the EMV switch takes us merely to what’s best for the big banks,” which he says receive higher swipe fees for signature transactions.

Transition champions are also lining up their response forces. Financial Services Roundtable Vice President Jason Kratovil, for example, posted a blog entry Tuesday comparing PIN advocates to snake oil salesmen and calling their arguments “a bunch of Gish Gallop.” http://bit.ly/1NmruaY

STATE DEPARTMENT PLANS INTERNATIONAL CYBER WORKSHOPS — The State Department plans to contract with the Center for Strategic and International Studies to run three “international, non-public and unclassified workshops in Geneva, Switzerland,” focused on cyber issues before the close of June 2016, according to contracting documents out Tuesday. Invitees will include “government representatives and selected nongovernment experts from NGOs, the private sector and academia, on international security issues,” according to the document.

CSIS senior fellow and top cyber expert Jim Lewis, who’s slated to manage the meetings, said planning’s just beginning and that the meetings will focus on international law and developing cyber norms. The estimated cost of the workshops is about $300,000. The contracting document is a “justification and approval for other than full and open competition,” which argues CSIS and Lewis are uniquely qualified to run the workshops so they needn’t be competitively bid. http://1.usa.gov/1KnbvFa

APPLE SENT BACK TO DRAWING BOARD IN IPHONE UNLOCKING CASE — Apple must now directly address its view of the All Writs Act, the 18th-century law prosecutors are relying on to support giving police the authority to compel the company to unlock iPhones. In a Tuesday order, Magistrate Judge James Orenstein said Apple needs to “supplement its submission by addressing the legal question before the court; namely, whether the All Writs Act empowers the court to compel Apple to provide the technical assistance the government seeks.” Apple said in a late Monday court filing that unlocking an alleged criminal’s iPhone at the behest of law enforcement would damage its reputation.

But Orenstein is particularly skeptical of the All Writs Act that federal prosecutors cite as authority for the unlocking request. The judge wrote an order about the law earlier this month, holding that it doesn’t create prosecutorial authority otherwise unassigned by Congress – but Orenstein apparently wants to hear it directly from Apple. Orenstein also denied friends-of-the-court status to a bevy of civil liberties groups seeking to advise on the outcome. The groups, including the American Civil Liberties Union and the Electronic Frontier Foundation, can address the wider implications of the case, Orenstein wrote, but “the sole legal issue before the court is a narrow one that directly affects only the government and Apple Inc. and that they are fully capable of exploring thoroughly in their submissions.” Background on the case for Pros: http://politico.pro/1XiFck3

QUICK BYTES

— There’s a settlement with employees over the Sony hack, and a company official said the impact was short-lived. AFP: http://bit.ly/1GRJ95F

— “Ireland’s privacy watchdog will now probe how much access the U.S. government has to Europeans’ Facebook profiles — and whether that means Facebook should be forced to keep Europeans’ data in Europe.” Wall Street Journal: http://on.wsj.com/1RmK1ok

— Some lawmakers have questions about how a teen hacker reportedly broke into the email systems of the chiefs of the CIA and Department of Homeland Security. Sinclair Broadcast Group: http://bit.ly/1RmKC9L

— Not that there was much interesting to be found in the email caches of John Brennan or Jeh Johnson. The New York Times: http://nyti.ms/1ZVVvWi

That’s all for today. You won’t be taking me lucky cereal. http://bit.ly/1gnRwrE

Stay in touch with the whole team: Joseph Marks ([email protected] , @Joseph_Marks_ ); David Perera ([email protected] , @daveperera ); and Tim Starks ( [email protected] , @timstarks ).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks