The House and Senate on Friday passed cybersecurity legislation as part of the larger omnibus spending bill
Privacy advocates say the White House and lawmakers worked in secret and subverted privacy concerns
President Barack Obama is set to sign the most substantial piece of cybersecurity legislation in years, after an intense sprint of 24/7 negotiations managed to get the bill ready in time to be attached to the government spending measure the House and Senate approved Friday.
But privacy advocates say those midnight, closed-door negotiations have walked back hard-won protections.
Known by the buzzword of “information sharing,” the bill is designed to give companies legal cover to share data about cyberattacks with each other and with the government. The legislation would protect those companies from being sued for sharing that information, for example from antitrust claims.
The premise for the bill, which has been heavily lobbied for by the Chamber of Commerce and financial services sector, is that cyber attackers use the same techniques and tactics repeatedly on a wide range of targets. Allowing those organizations to communicate what they see and how they block it with each other, then, would give companies defending their computer networks an upper hand against hacks.
But while companies claim that they are unable to share information now for fear of lawsuits, the bill has been staunchly opposed by privacy and civil liberties groups who say it is merely an expansion of surveillance and curtailing of consumers’ privacy rights.
And those groups say the blame lies at the White House for letting the measure go forward.
“I think they completely bent over, they went a 180 on their previous positions, and it’s really disappointing,” said Robyn Greene, policy counsel at New America’s Open Technology Institute. “I think after Sony [was hacked by the North Koreans] they got to a point that they were sick of trying and decided they would rather get something done rather than do something right.”
One major complaint: the cyber information shared would go to federal agencies including the Defense Department and NSA, and the “purposes” allowed under the bill for the government to spread the data have been criticized as far too broad.
Obama plans to sign the omnibus bill when it reaches his desk, and the White House praised the cyber component.
“We are pleased that the omnibus includes cybersecurity information sharing legislation,” a senior administration official told CNN. “The President has long called on Congress to pass cybersecurity information sharing legislation that will help the private sector and government share more cyber threat information by providing for targeted liability protections while carefully safeguarding privacy, confidentiality, and civil liberties.”
The measure has been under development for several years. It faltered in the Senate in 2014, never reaching the floor for a vote, but the House passed two versions of the legislation in April and the Senate followed suit with its own take in October. All that was left was reconciling the bills’ differences with White House input and getting both chambers to approve the new legislation to send to Obama. The omnibus provided the opportunity to move ahead.
The bill comes amid a heightened attention on cybersecurity nationally and in the presidential race. Republican candidates regularly criticize the administration for allowing other nation states, like China, to engage in broad hacking of American companies and the government itself.
An unrelated debate about encryption software, which law enforcement officials say terrorists are increasingly using to communicate, has also been heating up. While this bill does not in any way address encryption, its moment in the spotlight comes as hawks are calling for greater U.S. defenses and offensive capabilities in cyberspace.
Privacy advocates worry
Privacy advocates say the new legislation than any version of the bill seen previously.
Complaints about the bill center around what is actually shared by companies. Groups argue that the definition of what is pertinent to cybersecurity is too broad, and the burden on companies to scrub personally identifiable information from that data is too lax. The final version of the bill compels entities to remove information they “know” is extraneous personal information; some earlier versions used “reasonably believe” instead, putting more burden on companies.
The bill’s fiercest critic, Sen. Ron Wyden, D-Oregon, has said he is not opposed to cybersecurity improvements, but the bill would sacrifice privacy for not enough gain.
“This ‘cybersecurity’ bill was a bad bill when it passed the Senate and it is an even worse bill today. Americans deserve policies that protect both their security and their liberty. This bill fails on both counts,” Wyden said in a statement.
“I think this is very much on President Obama’s shoulders,” said Evan Greer, campaign director at Fight for the Future, an open Internet advocacy group. “His administration threatened to veto a very similar piece of legislation in 2013, and since then they’ve done a real about-face on this and are now cheerleading for a bill that’s the worst we’ve seen yet.”
Supporters and authors of the bill say the privacy groups are crying wolf in bad faith – saying that this version of the bill is the best one yet and that it addresses a very real concern. Aside from the White House, the bill has the support of prominent Democrats in both chambers, including Senate Intelligence Committee ranking member Dianne Feinstein and House Intelligence Committee ranking member Adam Schiff.
Hill staffers familiar with negotiations also deny that anyone was excluded from negotiations, but said the time came for a close circle to get things done.
“This has been a bill that’s been around for what, five years? And it had the most input of everything, but at the end of the day, people have to sit down and hammer out the text, and that’s what happened over the last couple weeks,” said one senior Democratic congressional staffer involved in the negotiations.
The staffer acknowledged the bill isn’t the most pro-privacy version of the legislation put forward, but said it was the most pro-privacy version that could pass Congress.
“At the end of the day, we had to get this bill done,” the staffer said.