Senate Approves a Cybersecurity Bill Long in the Works and Largely Dated

After four years of false starts and strife over privacy protections, the Senate passed legislation by a vote of 74 to 21 that would help companies battle a daily onslaught of cyberattacks. But there is one problem with the legislation, the Cybersecurity Information Sharing Act, or CISA: In the years that Congress was debating it, computer attackers have grown so much more sophisticated — in many cases, backed by state sponsors from Shanghai to Tehran — that the central feature of the legislation, agreements allowing companies and the government to share information, seems almost quaint.

To many in the trenches of daily computer combat, it is a little like the insistence of some cavalry officers in the 1930s on sticking to horses, rather than investing in mechanized divisions. Senate legislation faces more legal wrangling at a House-Senate conference at which conferees must reconcile the Senate bill with two similar, albeit slightly different, bills passed by the House in April: the Protecting Cyber Networks Act, or PCNA, and the National Cybersecurity Protection Advancement Act, or NCPAA, which were eventually combined. Both bills, like the Cybersecurity Information Sharing Act, would establish a voluntary threat information-sharing vehicle, whereby companies and government agencies can share information about attackers’ code and techniques, and risk alerts. Both bills also include liability protections for private companies, shielding them from lawsuits for sharing certain types of data. And both set up some privacy safeguards for customers’ personal information. But the logistics of each bill are slightly different and will have to be hammered out by the conference.