WASHINGTON -- The Senate passed a bill Tuesday aimed at improving cybersecurity by encouraging companies and the government to share information about threats. It took six years to win approval.
The Cybersecurity Information Sharing Act passed by a 74-21 vote. It overcame concerns about privacy and transparency from some senators and technology companies, such as Apple and Yelp.
The Senate rejected amendments, including one addressing concerns that companies could give the government personal information about their customers. Another failed amendment would have eliminated part of the bill that would keep secret information about which companies participate and what they share with the government.
The bill's co-sponsors, Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., said the measure was needed to limit high-profile cyberattacks, such as the one on Sony Pictures last year.
"From the beginning we committed to make this bill voluntary, meaning that any company in America, if they, their systems are breached, could choose voluntarily to create the partnership with the federal government. Nobody's mandated to do it," Burr said.
Companies would receive legal protections from antitrust and consumer privacy liabilities for participating in the voluntary program.
The House passed its version of the bill earlier this year with strong bipartisan support. The two versions of the bill will need to be reconciled before being sent to the White House for the president's signature.
Sen. Ron Wyden, D-Ore., who opposed the bill, offered an amendment addressing privacy concerns, but it failed to pass. It would have required companies to make "reasonable efforts" to remove unrelated personal information about their customers before providing the data to the government.
"You just can't hand it over," Wyden said. "You've got to take affirmative steps, reasonable, affirmative steps, before you share personal information."
Senators also rejected an amendment Sen. Patrick Leahy, D-Vt., had offered that would have removed a provision to keep secret more information about materials that companies provide to the government. Leahy criticized the bill's new exemption from the U.S. Freedom of Information Act as overly broad because it pre-empts state and local public information requests, and it was added without public debate.
The Sunshine in Government Initiative, a Washington organization that promotes open government policies, urged the Senate last week to support Leahy's amendment. The AP is one of at least nine journalism groups that are members of the organization.
Despite the lengthy road to pass the Senate bill, it's unclear whether it would improve Internet security. Participation is voluntary and companies have long been reluctant to tell the U.S. government about their security failures.
"Passing the bill will have no effect on improving cybersecurity," said Alan Paller, director of research for the SANS Institute. "That's been demonstrated each time sharing legislation has been passed. The cost to companies of disclosing their failings is so great that they avoid it even if there is a major benefit to them of learning about other peoples' failings."
Senators passed an amendment by Sen. Jeff Flake, R-Ariz., that limited the bill to 10 years.
Cyberattacks have affected an increasing number of Americans who shop at Target, use Anthem medical insurance or saw doctors at medical centers at the University of California, Los Angeles.
More than 21 million Americans recently had their personal information stolen when the Office of Personnel Management was hacked in what that the U.S. believes was a Chinese espionage operation.