Advancing cyber bills spark fresh NSA worries

Advancing cyber bills spark fresh NSA worries

The House Intelligence panel is preparing to move a cybersecurity bill that privacy advocates argue would embolden the National Security Agency (NSA).

Before the contentious bill hits the floor, though, Intelligence Committee leaders want to join forces with their Homeland Security panel colleagues who are considering a bill of their own.

“It’d be nice to take maybe the best of both bills,” Intelligence Committee Chairman Devin Nunes (R-Calif.) told reporters after the panel unanimously approved its measure, which grants companies legal liability protections when sharing cyber threat data with the government.

“That would be probably the smoothest path forward if we can hammer that out,” added Ranking Member Adam SchiffAdam Bennett SchiffOfficers offer harrowing accounts at first Jan. 6 committee hearing Live coverage: House panel holds first hearing on Jan. 6 probe Five things to watch as Jan. 6 panel begins its work MORE (D-Calif.).

The approach is controversial with privacy advocates, who believe Homeland Security's cyber bill would best protect people's personal privacy.

“I’m very concerned about that,” said Greg Nojeim, senior counsel at the Center for Democracy & Technology. “Very concerned.”

House leaders vowed this year to work on legislation encouraging the private sector to share more cyber threat data with the government.

The issue has been a leading legislative priority for the White House and most industry groups, who see enhanced cyber info-sharing as a critical step in steeling the country’s cyber defenses against the onslaught of foreign hackers.

But privacy concerns have the potential to sink the efforts, as they have in the previous years.

So House lawmakers devised an approach to try and avoid those same pitfalls and garner broad support.

Intelligence — with two new lawmakers in the top slots — started over on its bill and communicated closely with Homeland Security so both bills would move through the process at roughly the same rate.

Nunes said he had “daily conversations” with Homeland Security Committee Chairman Michael McCaul (R-Texas) while drafting what became the Protecting Cyber Networks Act.

“We want to try to work as closely as we can,” Nunes added.

“These bills were designed from the get-go to be complementary,” said Alex Manning, staff director of the House Homeland Security subcommittee on cybersecurity last Congress.

That parallel approach is a dramatic shift for the two committees, which have never before linked their cyber efforts so closely. For years, the Intelligence panel, under former chair Mike Rogers (R-Mich.), was the lead committee on cyber info-sharing.

“Part of that’s a personality issue,” Manning said. “Nunes has been incredibly open to working on this issue and starting from scratch.”

The Intelligence bill would grant liability protections for information shared with any civilian agency, although it’s agnostic about the agency. In a nod to privacy advocates, those same protections would not extend to companies sharing data directly with the NSA or Defense Department.

Meanwhile, McCaul drew up the National Cybersecurity Protection Advancement Act, which is set for a markup on April 14.

His bill incentivizes companies to funnel all data through the Department of Homeland Security (DHS), a civilian agency. It shares many features with a measure McCaul backed last year that had the rare blessing of both the American Civil Liberties Union (ACLU) and the U.S. Chamber of Commerce.

Both bills do include a measure of “insta-sharing” within the government, meaning data would get to the NSA in some capacity, frustrating the privacy community.

But privacy advocates prefer the existing DHS mechanisms that scrub sensitive information before the data goes government-wide.

“So far the Homeland Security bill is the best,” said Nojeim, who still takes issue with parts of the measure. “It makes it clear that information can be shared only for cybersecurity reasons, and be used only for cybersecurity reasons and must be shared with the DHS.”

“Cybersecurity should be a civilian function,” added Gabe Rottman, legislative counsel with the ACLU. “It should be housed at a civilian agency.”

With a broader support base behind McCaul’s measure, analysts say the smart move is to inject portions of the Intelligence bill into the more politically palatable Homeland Security bill, then move it to the floor as a unified measure.

“Absolutely,” said Manning, now the senior government relations director with Arent Fox. “If you’re leadership, it would only make sense.”

But this arrangement makes civil liberties groups queasy. They worry it could create a vehicle to shuttle their least favorite elements across the finish line.

“It’s deeply concerning that the Homeland Security bill could be co-opted and turned into one of these surveillance bills by another name,” Rottman said.

Nojeim argues portions of the Intelligence bill would give the NSA broad authority to use cyber data for purposes “that go way beyond anything that has to do with cybersecurity,” including surveillance, he said.

Nunes and Schiff insist their bill grants no new surveillance authority. They point to specific language in the bill that explicitly says just that.

Cyber info-sharing and NSA surveillance are “not even related,” Nunes said. “They’re not even remotely related. You’re talking about apples and oranges.”

Lobbyists say the two committees haven’t yet determined how to combine their bills. There’s even a chance the two offerings remain uncoupled. That decision won’t come until after after the Homeland Security markup on April 14.

Both measures are slated to hit the floor sometime the week of April 20.

“Do they cherry pick the worst provisions or the best provisions of each?” Nojeim said.