After years of delay and false starts, Congress may finally be on the verge of passing a bill to address Internet data breaches and cybersecurity. The Senate is once again debating the Cybersecurity Information Sharing Act (S. 754), or CISA, and it appears to have the votes to pass this time around.

The short story

The bill doesn’t contain any provisions that would directly improve computer or network security. Instead it would encourage private entities to share information with the federal government about possible threats to industrial control systems and other computer networks and information technology systems. CISA could help prevent and prosecute “cyber” crimes, but critics are wary of the immunities granted to private entities.

What the bill says

Here’s how it would work. Private entities would be given authority to monitor networks for cybersecurity purposes, and then if they find any “cyber threat indicators” they are encouraged to share that information with the government. Any monitoring or information sharing would be legally immune from privacy laws and contracts (such as user agreements), and any shared information would be exempt from use by the government in pursuing regulatory enforcement actions.

The bill attempts to address privacy concerns by requiring companies that share information with the government to strip out anything that they know at the time of the sharing to be personally identifiable information. There is also an amendment pending from Sen. Ron Wyden (D-OR) that would strengthen this privacy language be making it clear that entities are required to remove as much personal information as is feasible before sharing information.

Cyber threat information would be shared with the government through a portal that is to be set up by the Department of Homeland Security, and all of the information they receive would be automatically shared with other federal departments and the Office of the Director of National Intelligence. The information could be used to investigate and prosecute “cyber” crimes and other offenses, including “an imminent threat of death, serious bodily harm, or serious economic harm,” identity theft, espionage, and theft of trade secrets.

Opponents of CISA — from civil liberties and Internet freedom organizations to top technology companies like Apple, Twitter, and Reddit — say that it could be a step backwards for both privacy and Internet security. Consumers would not have recourse if their personal information is improperly shared with the government, and the legal immunity provisions would discourage companies from working harder on improving their own security measures, they argue.

How we got here

CISA has been around in Congress in some form or another since at least 2011. In the Senate it was originally attached to a larger effort, the Lieberman-Collins Cybersecurity Act, that would have also established cybersecurity standards for companies that own and operate crucial infrastructure, like electric utilities and chemical plants. But the U.S. Chamber of Commerce opposed the standards and Republicans in the Senate voted the bill down, leaving just the immunity-for-information provision for Congress to consider.

The House of Representatives passed their version of the bill, the Protecting Cyber Networks Act, in April by a vote of 307–116. If CISA passes in the Senate, it is expected that a conference committee would be convened to reconcile the measures into a final version that would have to be passed by both chambers once again before being presented to the President for his signature or veto.