The massive year-end spending measure includes a provision that will encourage companies to share cyber threat information with the government.
Privacy advocacy groups immediately attacked the bill as did Democratic Senator Ron Wyden of Oregon.
“It’s clear now that this bill was never intended to prevent cyber attacks,” said Evan Greer, campaign director of Fight for the Future, an advocacy group that says it has more than 1.4 million members.
“[I]t’s a disingenuous attempt to quietly expand the U.S. government’s surveillance programs, and it will inevitably lead to law enforcement agencies using the data they collect from companies through this program to investigate, prosecute, and incarcerate more people, deepening injustices in our society while failing to improve security.”
“Congress has failed the Internet once again,” she added, “now it’s up to President Obama to prove that his administration actually cares about the Internet. If he does he has no choice but to veto this blatant attack on Internet security, corporate accountability, and free speech.”
Wyden called the bill “even worse” today, lacking meaningful privacy protections to ensure personal information isn’t passed on and doing little to prevent major hacks.
“Americans deserve policies that protect both their security and their liberty. This billfails on both counts,” Wyden said.
The ACLU called the cyber bill “a surveillance bill by another name” in a statement.
“Instead of passing reforms that would have stopped the Anthem or OPM (Office of Personnel Management) hack, Congress has chosen to advance legislation that places the privacy of Americans in further peril,” it said, adding that the information could be used for criminal prosecutions unrelated to cybersecurity.
The White House has supported prior language in the cybersecurity bill.
The measure, which represents a culmination of several years of effort to pass a cyberbill, brings together three different versions that passed the House and Senate earlier this year with hefty bipartisan support. It was released early Wednesday morning.
The Cybersecurity Act of 2015 largely hews to the Senate version of the bill, which passed despite concerns about privacy and transparency from some senators and technology companies, such as Apple and Yelp.
But there are some changes.
The bill allows the president to designate an agency other than the civilian Homeland Security Department to act as a portal for sharing cyber threats with the government only if DHS cannot and it is necessary. However, the Defense Department, including its National Security Agency, is specifically excluded for becoming an alternate portal.
Rep. Adam Schiff, D-Calif., the ranking member of the House Intelligence Committee, urged lawmakers to support the bill and said it was a major improvement over what was put forward last session, which he said lacked privacy protections.
“The bill is very protective of privacy while also doing a lot to help companies protect themselves from cyberattack,” Schiff said. “We have to measure this against the daily invasion of our privacy by these hackers. Those who believe that perfect should be the enemy of the good, have to justify how they’re willing to accept rampant hacking into our privacy and do nothing about it.”
Companies are also assured they won’t face liability for not acting on information received. Such liability protections are necessary to incentivize data sharing with the government, and have been a major reason why prior bills have failed to pass. Supporters of the cyber sharing bill say it’s necessary to raise the cost to an attacker and ensure the same threats aren’t repeatedly deployed.
The bill also calls on businesses and the government to remove, or scrub, personal identifiable information from threat data before sharing that information.
The first scrub is done by the company when it shares with the Homeland Security Department, and the second when DHS passes it on to other agencies. However, if the cyber threat pertains to a specific threat of the loss of life, economic damage, serious injury or the effort to prosecute or prevent the exploitation of a minor, the personal identifiable information may be passed on.
Sen. Ron Wyden, D-Ore., called the bill “even worse” today, lacking meaningful privacy protections to ensure personal information isn’t passed on and doing little to prevent major hacks.
“Americans deserve policies that protect both their security and their liberty. This billfails on both counts,” Wyden said.
The ACLU called the cyber bill “a surveillance bill by another name” in a statement.
“Instead of passing reforms that would have stopped the Anthem or OPM (Office of Personnel Management) hack, Congress has chosen to advance legislation that places the privacy of Americans in further peril,” it said, adding that the information could be used for criminal prosecutions unrelated to cybersecurity.
The White House has supported prior language in the cybersecurity bill.
The House is scheduled to vote Friday on the bill.
