Cyber threat-sharing bill heads to Senate

It’s on to the Senate for Congress’s major cybersecurity bill. 

The House on Thursday passed, by a 355-63 vote, the second of two complementary measures meant to increase the public-private sharing of hacking data in the wake of mammoth cyberattacks on Sony Entertainment, Anthem, Home Depot and JPMorgan Chase. 

The National Cybersecurity Protection Advancement Act, backed by House Homeland Security Committee leaders, will give companies legal liability protections when sharing cyber threat data with the Department of Homeland Security (DHS). 

ADVERTISEMENT

"Right now, we are in a pre-9/11 moment in cyberspace. In the same way legal barriers and turf wars kept us from connecting the dots before 9/11, the lack of cyber threat information sharing makes us as vulnerable to an attack," said House Homeland Security Committee Chairman Michael McCaulMichael Thomas McCaulHouse Dems introduce resolutions to block Trump's Saudi arms sales Hillicon Valley: Democratic state AGs sue to block T-Mobile-Sprint merger | House kicks off tech antitrust probe | Maine law shakes up privacy debate | Senators ask McConnell to bring net neutrality to a vote Hillicon Valley: Democratic state AGs sue to block T-Mobile-Sprint merger | House kicks off tech antitrust probe | Maine law shakes up privacy debate | Senators ask McConnell to bring net neutrality to a vote MORE (R-Texas).

Lawmakers will now work to combine it with the House Intelligence Committee’s cyber info-sharing bill, which passed overwhelmingly on Wednesday, before sending one bill to the Senate. Together, the bills would shield companies sharing data with any civilian agency, like the Treasury or Commerce Departments.

"With carefully crafted liability protections, private entities would finally be able to share cyber threat indicators with their private sector counterparts without fear of liability," said Rep. John Ratcliffe (R-Texas).

The White House has already given a cautious thumbs-up to the House’s efforts and appears positive about the Senate bill, putting the onus on the upper chamber to determine whether Congress enacts a cyber threat-sharing bill that has been nearly five years in the works.

The intent of the law is to enhance the flow of information about hackers’ tactics between the government and private sector. Both sides need more data on the threats they face, advocates say, so they can bolster the nation’s faltering network defenses. 

Lawmakers, government officials and most industry groups have strongly backed this argument, lobbying hard to make cyber info-sharing a top 2015 legislative priority.

Privacy advocates and a contingent of Democratic lawmakers fear the bill would simply empower the National Security Agency (NSA), handing it more sensitive data for its surveillance efforts. Congress should move on a bill to curb the NSA’s authority before considering any cyber legislation, they maintain.

The Homeland Security bill was the more palatable of the two House bills to privacy advocates throughout the drafting process.

The DHS is seen as the agency most technically capable of stripping personal information from any data received before it is shared with the rest of the federal government. A cyber info-sharing hub at the department — with its established privacy oversight measures —  is also considered the ideal locale under which to consolidate domestic cyber efforts.

Last year’s version of the Homeland bill even got the American Civil Liberties Union’s blessing, a rare occurrence for a cyber bill. 

Privacy groups withheld their endorsements from this year’s iteration, in part because of the knowledge it would likely be combined with the Intelligence panel’s measure, decried as a surveillance bill.

Before final passage, the House adopted, by a vote of 405-8, an amendment from Rep. Sheila Jackson Lee (D-Texas) that would require the Government Accountability Office to report to Congress five years after the bill's enactment to review its impact on privacy and civil liberties.

"The public benefit of this amendment is that it will provide public assurance from a reliable and trustworthy source that their privacy and civil liberties are not being compromised," Jackson Lee said.

Cybersecurity has quietly faded as a focus in the Senate, amid dust-ups over Patriot Act reauthorization, the Iranian nuclear negotiations, an anti-human-trafficking bill and fast-track trade legislation.

Majority Leader Mitch McConnell (R-Ky.) recently proclaimed the Senate would soon take up its companion cyber legislation, known as the Cybersecurity Information Sharing Act (CISA). But it’s no longer clear when the bill might reach the floor.

While CISA languishes, an expanding coalition of Democrats are banging the drum in opposition to the bill. At least four privacy-minded senators have expressed an intent to offer amendments on the floor that could hijack debate and further stall the bill.  

Some believe the Senate may now try to deal with reupping the Patriot Act, which authorizes the NSA’s more contested surveillance programs, before addressing cyber.

McConnell this week fast-tracked a clean reauthorization of the law that would keep the NSA’s spying programs in place until 2020. The move sparked outcries from NSA critics who have vowed to kill the effort and move their own reform bill.

Sen. Patrick Leahy (D-Vt.) — one of the four senators threatening to amend CISA on the floor — called McConnell’s move a “tone-deaf attempt to pave the way for five and a half more years of unchecked surveillance,” and added that it “will not succeed.”