Senators Agreed on 22 CISA Amendments, but Some May Not Get a Vote

The 22 amendments to the Cybersecurity Information-Sharing Act that senators agreed upon before recess may not all get a vote, Sen. Dianne Feinstein, one of the bill's co-sponsors, said Wednesday.

The next few months of the Senate's time will largely be taken up by debate over appropriations and President Obama's nuclear deal with Iran, leaving little time for the cybersecurity bill and the bevy of proposed amendments that will go along with it.

To make room for debate on the information-sharing bill, some of the amendments may not get a vote, Feinstein told National Journal.

"I don't know if there will be 22 amendments," the California Democrat said. "Everything changes week to week. I'm more concerned with getting the bill up, trying to get it passed, getting it conferenced, and then getting the conference report approved."

"A shorter debate means fewer amendments, because you have to complete the debate," Feinstein added. She said she did not know which amendments may not get voted on.

The bill Feinstein co-sponsored with Sen. Richard Burr, a Republican, is meant to improve cybersecurity in government and in the private sector by creating incentives for businesses to share information about cyberthreats with each other and with federal agencies.

The agreement senators reached before leaving in August was to make pending a group of 22 amendments: 10 from Republicans, 11 from Democrats, and a manager's amendment from the bill's sponsors. The amendments address a wide range of issues, including privacy protections for individuals, liability protections for companies, and the structure of the sharing program itself.

"It’s not known yet if all will be voted on," said Don Stewart, a spokesman for Senate Majority Leader Mitch McConnell.

Still, because senators agreed in August to make the amendments pending, a move to dispose of one or more would require a vote—or the amendment could be withdrawn by its sponsor.

Some senators who fought hard to put forward changes to the bill may try to block attempts to cut down on the amendments that get considered.

"I'm certainly not going to casually give unanimous consent to chop off amendments," said Sen. Ron Wyden, who has repeatedly criticized CISA for what he says are lackluster privacy protections. Wyden is the sponsor of multiple amendments in the package that was negotiated before recess.

"What I agreed on with respect to this issue is that there would be 22 amendments—and no time limits, by the way," Wyden said.

The information-sharing bill and its amendments have pitted privacy advocates and security experts against businesses. Privacy advocates say the bill could result in companies improperly sharing individuals' sensitive personal information with the government—including law-enforcement and surveillance agencies—and they are lobbying for the Senate to drop CISA. Tech experts say there are more effective ways to improve cybersecurity than information-sharing.

But the business community has come out in support of the bill, citing the need for more protections against cyberattacks. Companies stand to gain from the liability protections in the bill, which are designed to incentivize sharing.

Since senators are currently mired in debate over the Iran deal, it's not clear when the bill and its amendments—whatever the number—would come up for consideration. Multiple lawmakers said Wednesday they hope it gets a vote, but the Senate's schedule remains murky.

CISA will come up "eventually," said Stewart, McConnell's spokesman. "Could be September, could be October, could be November. We don't know yet."