A Cybersecurity Turf War at Home and Abroad
The House passed not one, but two, bills last week to provide immunity from consumer lawsuits to companies that share with each other, and with the government, information about cyber-threats and attacks on their networks.
It’s clear that majorities of both parties believe greater cooperation between business and government is needed to fight the hackers who’ve stolen data from some of America’s biggest companies.
What’s less clear is how the process is going to work. In passing two bills, instead of one, House leaders gave an ambiguous answer.
The differences between the bills are significant. The first bill, a product of the Intelligence Committee, would allow companies to share data with any federal agency, except the Defense Department, and receive liability protection.
The second bill, drafted by Homeland Security Committee Chairman Michael McCaul of Texas, would require that companies go to the National Cybersecurity and Communications Integration Center, a new division within the Homeland Security Department, if they want immunity.
Both McCaul and Intelligence Committee Chairman Devin Nunes of California, who sponsored his committee’s bill, had only praise for each other last week. But normally committee chairmen who both have a stake in an issue and want to produce the best possible bill work together to reconcile differences in advance of a vote. In this case, they didn’t.
It’s no surprise that McCaul wants the new Homeland Security Department cybersecurity center to play a critical role. He sponsored the bill that created it last year and he was annoyed earlier this year when President Barack Obama announced the creation of a new agency, under the Director of National Intelligence, to coordinate the government’s cybersecurity response. McCaul wrote to Obama in protest. He said the two centers appeared to be duplicative.
But the Intelligence Committee bill passed last week would give the new White House cybersecurity center, known as the Cyber Threat Intelligence Integration Center, Congress’ blessing by authorizing it.
“Because there seems to be some kind of turf war between the Intelligence Committee and the Homeland Security Committee, we’re actually voting on two overlapping bills that in several respects contradict one another,” Democratic Rep. Jared Polis of Colorado said during the floor debate last week.
The measures differ in another significant way. McCaul’s bill would allow the Homeland Security Department to share cyber-threat information it receives from companies with other government agencies, but they’d be barred from doing anything with it except fight hackers.
The Intelligence Committee bill would allow the government to use the data to respond to, prosecute or prevent “threats of death or serious bodily harm,” as well as “serious threats to minors, including sexual exploitation and threats to physical safety.”
Polis, whose view was clearly in the minority, argued that might allow the feds to go after him for failing to babyproof his house.
The bills have other differences. Their definitions of what qualifies as cyber-threat information vary, as do their definitions of the “defensive measures” the bill authorizes companies to take to combat hackers.
Both bills aim to ensure personal information about consumers that’s irrelevant to a cybersecurity threat isn’t distributed. They do that by requiring both the companies sharing data and the government agencies receiving it to erase it.
But McCaul’s bill would task the Homeland Security Department’s chief privacy officer and its officer for civil rights and civil liberties, in consultation with an independent federal agency known as the Privacy and Civil Liberties Oversight Board, with ensuring that happens. The Nunes bill, by contrast, would place responsibility for writing privacy guidelines in the hands of the attorney general.
House leaders will get to decide what happens next. A House leadership aide said Nunes will get his way on at least one of the big issues: Companies will be able to provide cyber-threat information to any non-Defense Department agency and receive liability protection. It’s not yet clear how the leaders will come down on the other differences.
It is clear that privacy advocates, as well as House members, prefer McCaul’s bill. It passed with 355 yeas compared to 307 for Nunes’ bill. But if only one of them is to become law, it’s more likely to be the Nunes bill.
The Senate’s companion measure is an Intelligence Committee bill sponsored by Republican Richard M. Burr of North Carolina, who’s well known for stressing security over privacy. Burr last week introduced a bill to extend the authorization for the National Security Agency’s controversial phone record collection program to 2020. His cybersecurity bill hews more closely to the Nunes version than McCaul’s.
Senate Majority Leader Mitch McConnell of Kentucky hasn’t set a date for considering Burr’s bill, but it is expected to pass easily. The Intelligence Committee approved it in March on a 14-1 vote. Only civil liberties advocate Ron Wyden, an Oregon Democrat, objected.