RENEE MONTAGNE, HOST:
And the U.S. Senate has passed a cyber-security bill that could stop hackers, but also raises privacy concerns. The vote was 74-21, which shows strong bipartisan support. The House already passed its own bill last spring, and President Obama has indicated he'll sign the measure. Here to talk about it is NPR's technology reporter, Aarti Shahani. Good morning.
AARTI SHAHANI, BYLINE: Good morning.
MONTAGNE: What exactly does the bill do?
SHAHANI: Well, it's called the Cyber Security Information Sharing Act, or CISA, and it encourages private companies to tell the federal government when they've been hit by hackers. A breached company would give details about the attack - what Internet addresses it came from, the malicious software used and possibly the personal information of customers - over to Homeland security. That agency would give a red alert to other companies who may be targeted next and also pass along all that information to the National Security Agency. One amendment to the bill, which would have required the removal of personally identifiable information, that failed to pass yesterday.
MONTAGNE: Well, and of course, anything that has to do with lots of information being passed on to entities is controversial these days. Who likes CISA and who doesn't?
SHAHANI: Well, there are many supporters, obviously. Among lawmakers, there's been this really urgent feeling that we've got to do something about the hackers. And it's not just because of corporate breaches like Sony Pictures. When the Office of Personnel Management was hit, government workers hit, you know, that really hit home. But privacy is a sticking point. Critics, including tech giants like Apple, Twitter and LinkedIn, they've come out against the bill, saying it doesn't do enough to protect customers and users. And some critics go as far as to say it's a grab by the intelligence community.
MONTAGNE: Well, not the White House, which has called the Senate bill an important building block. Is it?
SHAHANI: Information sharing is voluntary under CISA. And other voluntary initiatives already exist in banking, retail, critical infrastructure. You know, the problem for companies is it can be really embarrassing to share that a breach has happened. It can have financial implications, hit the stock. So lots of companies don't want to do it because, you know, what are they going to get out of it? CISA offers liability protection. So say you hand over too much customer information, you can be protected from lawsuits. But experts I've interviewed say that that doesn't do much to change the corporate calculation, the incentive structure. Lawmakers could have focused on clarifying big, looming questions in cyber security like, for example, who's liable when software fails? A group of cyber security professors and lawyers, they said in a statement that CISA creates new law in the wrong places.
MONTAGNE: And just finally, this isn't the first time we've heard about an information-sharing bill to stop hackers. There was one that failed back in 2012. What is the difference here?
SHAHANI: Well, CISA comes at a different time, politically. Back then, Democrats controlled the Senate, and they blocked a bill with a similar acronym, CISPA - the Cyber Intelligence Sharing and Protection Act. Now, Republicans control the Senate, and we're all tired of being hacked. So there's more of a popular impetus, and both sides feel the need to do something.
MONTAGNE: That's NPR's technology reporter, Aarti Shahani. Thanks very much.
SHAHANI: Thank you.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.