Today, the Senate is voting on the Cybersecurity Information Sharing Act. I've written up the cloture vote and the vote on Rand Paul's amendment.
The morning began with votes on a series of four amendments. The Center for Democracy & Technology has a good overview and analysis of the amendments.
Wyden Amendment
Ron Wyden (D-OR) offered an amendment to require all entities sharing cyber threat indicators with the federal government to remove PII (personally identifiable information) not necessary to describe or identify a cyber threat.
It failed 41 to 55.
7 Republicans voted for the amendment:
Mike Crapo (R-ID)
Steve Daines (R-MT)
Cory Gardner (R-CO)
Dean Heller (R-NV)
Mike Lee (R-UT)
Lisa Murkowski (R-AK)
Dan Sullivan (R-AK)
12 Democrats voted against the amendment:
Tom Carper (D-DE)
Joe Donnelly (D-IN)
Dianne Feinstein (D-CA)
Heidi Heitkamp (D-ND)
Tim Kaine (D-VA)
Angus King (I-ME)
Joe Manchin (D-WV)
Claire McCaskill (D-MO)
Barbara Mikulski (D-MD)
Bill Nelson (D-FL)
Mark Warner (D-VA)
Sheldon Whitehouse (D-RI)
Heller Amendment
Dean Heller (R-NV) offered another amendment aimed at protecting personally identifiable information that was intended as a fallback if the Wyden amendment failed. Heller's amendment would require federal entities to remove PII if they "reasonably believe" it is not directly related to cybersecurity. This is a weaker standard, but it is still an improvement upon the existing bill. Heller presented it as a business-friendly alternative in order to pick up some extra Republican votes.
It failed 47 to 49.
Heller’s amendment achieved support of the 7 Republicans who voted for Wyden’s amendment plus 10 Republicans who had voted against it (the 10 are italicized):
John Barrasso (R-WY)
Bill Cassidy (R-LA)
Mike Crapo (R-ID)
Steve Daines (R-MT)
Mike Enzi (R-WY)
Joni Ernst (R-IA)
Jeff Flake (R-AZ)
Cory Gardner (R-CO)
Dean Heller (R-NV)
John Hoeven (R-ND)
Mike Lee (R-UT)
Jim Lankford (R-OK)
Jerry Moran (R-KS)
Lisa Murkowski (R-AK)
Rob Portman (R-OH)
Dan Sullivan (R-AK)
Pat Toomey (R-PA)
Heller’s amendment picked up the support of 4 Democrats who had voted against Wyden’s amendment:
Joe Donnelly (D-IN)
Heidi Heitkamp (D-ND)
Tim Kaine (D-VA)
Claire McCaskill (D-MO)
8 of the 12 Democrats who voted against Wyden’s amendment voted against Heller’s as well, and they were joined by 8 Democrats (in italics) who had supported Wyden’s amendment.
Sherrod Brown (D-OH)
Tom Carper (D-DE)
Dianne Feinstein (D-CA)
Angus King (I-ME)
Amy Klobuchar (D-MN)
Joe Manchin (D-WV)
Barbara Mikulski (D-MD)
Chris Murphy (D-CT)
Bill Nelson (D-FL)
Harry Reid (D-NV)
Brian Schatz (D-HI)
Chuck Schumer (D-NY)
Jeanne Shaheen (D-NH)
Debbie Stabenow (D-MI)
Mark Warner (D-VA)
Sheldon Whitehouse (D-RI)
Leahy Amendment
Pat Leahy (D-VT) offered an amendment to eliminate the bill's blanket FOIA exemption.
CDT explains:
The amendment removes the Act’s exemption of information shared with the federal government pursuant to the Freedom of Information Act (FOIA) requests.
---CISA’s FOIA exemption would be the most far-reaching broadening of the FOIA’s exemptions since 1986.
---This is unnecessary, given that most, if not all, information shared under the bill would already qualify for protection under existing FOIA exemptions. For example, the bill already notes, in section 5(d)(2), that a CTI or defensive measure provided by an entity to the Federal government will be considered the commercial, financial, and proprietary information of such entity, which is exempt from FOIA disclosure. Furthermore, the bill separately states in section 5(d)(3) that such information will also be deemed voluntarily shared information and exempt from disclosure.
---The House Intelligence and Homeland Security Committees removed this exemption from their cybersecurity bills because of its redundancy.
The amendment failed
37 to 59.
Four Republicans voted for the amendment:
Steve Daines (R-MT)
Dean Heller (R-NV)
Mike Lee (R-UT)
Dan Sullivan (R-AK)
13 Democrats voted against it--the 12 who opposed the Wyden amendment plus Chris Murphy:
Tom Carper (D-DE)
Joe Donnelly (D-IN)
Dianne Feinstein (D-CA)
Heidi Heitkamp (D-ND)
Tim Kaine (D-VA)
Angus King (I-ME)
Joe Manchin (D-WV)
Claire McCaskill (D-MO)
Barbara Mikulski (D-MD)
Chris Murphy (D-CT)
Bill Nelson (D-FL)
Mark Warner (D-VA)
Sheldon Whitehouse (D-RI)
Franken Amendment
Al Franken (D-MN) offered an amendment to narrow the definitions of cybersecurity threats and cyber threat indicators.
From CDT:
The amendment tightens up the definition of “cybersecurity threat” by limiting that definition to actions that are “reasonably likely to” (as opposed to “may,” as in the pending bill) adversely impact the security, availability, confidentiality, or integrity of information or an information system. In addition, the provision would limit an aspect of the definition of “cyber threat indicator” to include only information necessary to describe actual harm (not “potential harm,” as in the original bill) caused by an incident. The amendment also changes the “catch all” in the CTI definition, but it is not clear that this change will have any effect.
It failed
35 to 60.
Four Republicans voted for it:
Steve Daines (R-MT)
Dean Heller (R-NV)
Mike Lee (R-UT)
Jim Lankford (R-OK)
And 15 Democrats opposed it, the 13 who opposed the Leahy amendment plus Bob Casey and Jack Reed:
Tom Carper (D-DE)
Bob Casey (D-PA)
Joe Donnelly (D-IN)
Dianne Feinstein (D-CA)
Heidi Heitkamp (D-ND)
Tim Kaine (D-VA)
Angus King (I-ME)
Joe Manchin (D-WV)
Claire McCaskill (D-MO)
Barbara Mikulski (D-MD)
Chris Murphy (D-CT)
Bill Nelson (D-FL)
Jack Reed (D-RI)
Mark Warner (D-VA)
Sheldon Whitehouse (D-RI)