Lawmakers, privacy advocates and civil liberties groups sparred Wednesday over the final text of a major cybersecurity bill released overnight as part of an omnibus spending package.
The bill, which would encourage businesses to share more data on hackers with the government, has drawn fierce opposition from privacy groups and a vocal coalition of lawmakers.
They lamented congressional leadership’s decision to move the controversial bill as part of a must-pass funding package and called for a more extensive debate over the cyber legislation’s negotiated language.
“This ‘cybersecurity’ bill was a bad bill when it passed the Senate and it is an even worse bill today,” said Sen. Ron WydenRon WydenSenate passes college anti-Semitism bill Overnight Finance: Trump takes victory lap at Carrier plant | House passes 'too big to fail' revamp | Trump econ team takes shape Senate Dems: Force Cabinet nominees to release tax returns MORE (D-Ore.), who led the upper chamber’s charge against its version of the bill, which passed in October.
But the cyber bill’s backers — including many lawmakers, industry groups and even the White House — shot back, arguing the final text addressed many of opponents' privacy concerns. Congress needs to move this necessary first-step bill swiftly, they said, to help combat the rising tide of cyberattacks.
“It is difficult to overstate the threat posed by bad cyber actors to our security, our privacy and our economy,” said House Intelligence Committee ranking member Adam SchiffAdam SchiffLawmakers praise defense bill's National Guard bonus fix Pelosi fends off challenge to leadership Sunday show questions swirl over optics, strategy of Trump picks MORE (D-Calif.), who co-sponsored one of two complementary House bills that passed in April.
“The [final] bill contains the strongest privacy protections to date,” Schiff added. “It is the most significant effort by Congress to address the cyber threat to date and should now become law."
The negotiated bill, now called the Cybersecurity Act of 2015, was the product of several weeks of frantic negotiations.
Lawmakers were trying to merge a measure crafted by the Senate Intelligence Committee with two House bills: one from that chamber's Intelligence panel and another from the Homeland Security Committee.
Lawmakers developed the final text mostly through unofficial discussions, rather than a more formal conference between the two chambers, due to some disagreements between the House and Senate over the conference process and the unusual need to combine three bills.
Negotiators also faced a tight deadline, hoping to wrap up the process and have the bill on President Obama’s desk by the end of the year.
For the last two weeks, lawmakers had targeted the $1.1 trillion spending measure as a way to get the merged bill through Congress before the end of the year.
They just made it in time, producing a final text Tuesday afternoon, just hours before the text of the omnibus was released.
The strategy spurred frustration on Capitol Hill and in the privacy community.
“Neither negotiations — nor even bill text — have been made public,” said a letter circulated to House members on Tuesday and signed by Reps. Justin AmashJustin AmashGOP rep: Trump has 'extra-constitutional' view of presidency Flag burning is just another PR stunt for the media to cover Trump tweets about flag burning, setting off a battle MORE (R-Mich.), Zoe Lofgren (D-Calif.), Jared Polis (D-Colo.) and Ted PoeTed PoeOvernight Cybersecurity: Lawmakers pushing for vote to delay warrant rule changes Coons to call for voice vote to halt changes to hacking rule The right person for State Department is Rudy Giuliani MORE (R-Texas). “We cannot cast such a consequential vote with no input.”
And the release of the final text did not quell their concerns.
“Congress has chosen to advance legislation that places the privacy of Americans in further peril,” said Neema Singh Guliani, legislative counsel with the American Civil Liberties Union. “It would wrongly allow companies to share larger amounts of consumer information with government agencies, potentially including the NSA.”
The privacy community warned that the bill could grant companies the ability to hand information directly to the NSA, a concept that is anathema in the wake of Edward Snowden’s disclosures of the agency’s clandestine surveillance programs.
Schiff denounced these arguments in a letter circulated Wednesday to his colleagues titled, “Inaccurate Claims versus Facts”
The bill designates the Department of Homeland Security (DHS) “as the sole portal for the sharing of cyber threat information with the government," the letter said.
“Only if the president would certify that they can’t do the job would it go to someone else,” Schiff told The Hill Wednesday afternoon.
“Now that’s pretty inconceivable since they are already doing the job,” he added, alluding to the agency’s established cyber hub, which collects and disseminates cyber threat information.
Digital rights groups also critiqued the final text for lacking a strict mandate for companies to scrub personal information before sharing data with the government.
The privacy community and the White House had pushed for the inclusion of a phrase that would require companies to make “reasonable efforts” to identify and remove known personal information.
That phrase, part of the House bill that privacy advocates preferred, did not make the final cut.
But negotiators believe the ultimate language is actually a stronger mandate, arguing that "reasonable" could create a confusing, subjective review standard.
“It’s even a better product than what we originally had,” House Intelligence Committee Chairman Devin Nunes (R-Calif.) told The Hill.
The two sides also tussled Wednesday over a section authorizing the government to use information received under the bill for non-cybersecurity purposes, such as identity theft and espionage.
“It allows, actually provides, that information that is collected under the auspices of cybersecurity can be used for unrelated criminal prosecutions without a warrant,” Lofgren told The Hill.
Proponents countered that such fears are overblown, describing the exceptions as narrowly tailored and considerably slimmed down from previous iterations of the bill.
Negotiators also pointed to a small but important addition to that section during the recent discussions. The final text says that these non-cyber incidents must involve a “specific threat,” which backers say will prohibit abuse of the clause.
“This bill has addressed each of the concerns that were raised by members, as well as by the privacy community,” Schiff said.
“This is not a controversial bill whatsoever,” Nunes insisted, referencing the large margins by which each individual bill passed. “It has overwhelming support.”