The Senate will take up a cyber bill this week that already has critics promising a rigorous debate over what they say is little more than a surveillance measure dressed in the guise of cybersecurity legislation.
The bill’s sponsors have floated a managers’ amendment that would address at least some of the concerns expressed by privacy advocates, but one of the most vocal opponents of the legislation, Sen. Ron Wyden, said Monday the proposed changes don’t go far enough.
The looming showdown over the Cybersecurity Information Sharing Act (S 754) carries an echo of the broader tussle over the balance between privacy and security touched off by former government contractor Edward Snowden’s revelations. But it also takes place in the shadow of a series of high-profile hacks that have focused attention on glaring gaps in the nation’s cyber defenses.
The latest major, known breach hit the networks of the Office of Personnel Management, compromising personal information of more than 22 million current and former federal employees. But the private sector is also under a constant barrage of malicious online attacks, and everything from health care and retail to banking and defense have been targeted.
The bill up for consideration would encourage private companies and the government to share information about cyber threat indicators and data breaches. It would also provide liability protection to firms that do so.
Majority Leader Mitch McConnell, R-Ky., filed cloture on the motion to proceed to the measure on Monday evening. Lawmakers will resume discussion of the motion Tuesday morning.
The idea underpinning the bill is that if companies can share information about malicious cyber attacks with the government and each other, then other firms and federal authorities can secure their own networks from the same threat.
Sen. Richard M. Burr, R-N.C., the Intelligence Committee chairman and the bill’s sponsor, says the legislation would boost cybersecurity while also taking into consideration privacy concerns.
Burr successfully ushered the bill through committee in a 14-1 vote in March. The sole no vote then came from Wyden, who has criticized the legislation as a “surveillance bill.”
Civil liberties advocates have expressed concerns about several aspects of the legislation, including what they say are inadequate privacy guarantees. They say the bill would allow the government to channel the information companies provide about cyber threats toward everyday law enforcement investigations unrelated to cybersecurity.
The Center for Democracy and Technology, which advocates for Internet privacy rights and legal controls on government surveillance, said it opposes the bill, and in a statement on its website urged lawmakers to vote against it and the president to veto it should it reach his desk.
In what could provide a path forward, the sponsors floated a managers’ amendment that would address at least some of those concerns, according to details obtained by CQ.
The managers’ amendment would limit the authorization for sharing cyber threat information to cybersecurity purposes, and would scrap the government’s ability to funnel cyber information toward investigating and prosecuting “serious violent felonies.”
It would also clarify a provision about defensive measures, specifying that unauthorized access to a computer system would not be permitted.
Speaking on the Senate floor Monday evening, Wyden welcomed the changes offered in the amendment but said “the bill needs a lot more work.”
“It does not fix the provision of this bill that will allow private companies to hand large volumes of their customers’ personal information over to the government with only a cursory review, even if that information is not necessary for cybersecurity,” he said.
“The bottom line is that the legislation as it stands today doesn't do a whole lot to protect U.S. networks against sophisticated hacks and will do a lot to undermine the privacy rights of the American people."
The House passed two similar information-sharing bills (HR 1731 and HR 1560) earlier this year, although there are significant differences among all three, including which government agency should act as the gateway for information from the private sector.
Internet security experts have expressed doubt about the need for any of the three bills. In a letter sent to the leaders of the House and Senate intelligence committees in April, around 60 cybersecurity professionals said all three pieces of information sharing legislation would permit overly broad sharing and would not improve cybersecurity.