Cyber compromise sparks privacy feud

Cyber compromise sparks privacy feud
© Greg Nash

Lawmakers, privacy advocates and civil liberties groups sparred Wednesday over the final text of a major cybersecurity bill released overnight as part of an omnibus spending package.

The bill, which would encourage businesses to share more data on hackers with the government, has drawn fierce opposition from privacy groups and a vocal coalition of lawmakers.


These opponents came out swinging Wednesday against what they see as a bill that would merely shuttle more of Americans’ personal data to the National Security Agency (NSA) without actually boosting the nation’s cyber defenses.

They lamented congressional leadership’s decision to move the controversial bill as part of a must-pass funding package and called for a more extensive debate over the cyber legislation’s negotiated language.

“This ‘cybersecurity’ bill was a bad bill when it passed the Senate and it is an even worse bill today,” said Sen. Ron WydenRonald (Ron) Lee WydenHillicon Valley: Zuckerberg defends handling of misinformation in political ads | Biden camp hits Zuckerberg over remarks | Dem bill would jail tech execs for lying about privacy | Consumer safety agency accidentally disclosed personal data Democratic senator introduces bill to jail tech executives for lying about privacy violations Overnight Defense — Presented by Boeing — House passes resolution rebuking Trump over Syria | Sparks fly at White House meeting on Syria | Dems say Trump called Pelosi a 'third-rate politician' | Trump, Graham trade jabs MORE (D-Ore.), who led the upper chamber’s charge against its version of the bill, which passed in October.

But the cyber bill’s backers — including many lawmakers, industry groups and even the White House — shot  back, arguing the final text addressed many of opponents' privacy concerns. Congress needs to move this necessary first-step bill swiftly, they said, to help combat the rising tide of cyberattacks.

“It is difficult to overstate the threat posed by bad cyber actors to our security, our privacy and our economy,” said House Intelligence Committee ranking member Adam SchiffAdam Bennett SchiffDemocrats want Mulvaney to testify in Trump impeachment probe Republicans seek to delay effort to censure Schiff after Cummings' death Schiff: Mulvaney comments on Ukraine aid have made things 'much, much worse' MORE (D-Calif.), who co-sponsored one of two complementary House bills that passed in April.

“The [final] bill contains the strongest privacy protections to date,” Schiff added. “It is the most significant effort by Congress to address the cyber threat to date and should now become law."

The negotiated bill, now called the Cybersecurity Act of 2015, was the product of several weeks of frantic negotiations.

Lawmakers were trying to merge a measure crafted by the Senate Intelligence Committee with two House bills: one from that chamber's Intelligence panel and another from the Homeland Security Committee.

Lawmakers developed the final text mostly through unofficial discussions, rather than a more formal conference between the two chambers, due to some disagreements between the House and Senate over the conference process and the unusual need to combine three bills.

Negotiators also faced a tight deadline, hoping to wrap up the process and have the bill on President Obama’s desk by the end of the year.

For the last two weeks, lawmakers had targeted the $1.1 trillion spending measure as a way to get the merged bill through Congress before the end of the year.

They just made it in time, producing a final text Tuesday afternoon, just hours before the text of the omnibus was released.

The strategy spurred frustration on Capitol Hill and in the privacy community.

“Neither negotiations — nor even bill text — have been made public,” said a letter circulated to House members on Tuesday and signed by Reps. Justin AmashJustin AmashOvernight Defense — Presented by Boeing — House passes resolution rebuking Trump over Syria | Sparks fly at White House meeting on Syria | Dems say Trump called Pelosi a 'third-rate politician' | Trump, Graham trade jabs House passes resolution rebuking Trump over Syria pullout Grand Rapids synagogue targeted with anti-Semitic posters on its door MORE (R-Mich.), Zoe Lofgren (D-Calif.), Jared Polis (D-Colo.) and Ted PoeLloyd (Ted) Theodore PoeSenate Dem to reintroduce bill with new name after 'My Little Pony' confusion Texas New Members 2019 Cook shifts two House GOP seats closer to Dem column MORE (R-Texas). “We cannot cast such a consequential vote with no input.”

And the release of the final text did not quell their concerns.

“Congress has chosen to advance legislation that places the privacy of Americans in further peril,” said Neema Singh Guliani, legislative counsel with the American Civil Liberties Union. “It would wrongly allow companies to share larger amounts of consumer information with government agencies, potentially including the NSA.”

The privacy community warned that the bill could grant companies the ability to hand information directly to the NSA, a concept that is anathema in the wake of Edward Snowden’s disclosures of the agency’s clandestine surveillance programs.

Schiff denounced these arguments in a letter circulated Wednesday to his colleagues titled, “Inaccurate Claims versus Facts”

The bill designates the Department of Homeland Security (DHS) “as the sole portal for the sharing of cyber threat information with the government," the letter said.

“Only if the president would certify that they can’t do the job would it go to someone else,” Schiff told The Hill Wednesday afternoon.

“Now that’s pretty inconceivable since they are already doing the job,” he added, alluding to the agency’s established cyber hub, which collects and disseminates cyber threat information.

Digital rights groups also critiqued the final text for lacking a strict mandate for companies to scrub personal information before sharing data with the government.

The privacy community and the White House had pushed for the inclusion of a phrase that would require companies to make “reasonable efforts” to identify and remove known personal information.

That phrase, part of the House bill that privacy advocates preferred, did not make the final cut.

But negotiators believe the ultimate language is actually a stronger mandate, arguing that "reasonable" could create a confusing, subjective review standard.

“It’s even a better product than what we originally had,” House Intelligence Committee Chairman Devin Nunes (R-Calif.) told The Hill.

The two sides also tussled Wednesday over a section authorizing the government to use information received under the bill for non-cybersecurity purposes, such as identity theft and espionage.

“It allows, actually provides, that information that is collected under the auspices of cybersecurity can be used for unrelated criminal prosecutions without a warrant,” Lofgren told The Hill.

Proponents countered that such fears are overblown, describing the exceptions as narrowly tailored and considerably slimmed down from previous iterations of the bill.

Negotiators also pointed to a small but important addition to that section during the recent discussions. The final text says that these non-cyber incidents must involve a “specific threat,” which backers say will prohibit abuse of the clause.

“This bill has addressed each of the concerns that were raised by members, as well as by the privacy community,” Schiff said.

“This is not a controversial bill whatsoever,” Nunes insisted, referencing the large margins by which each individual bill passed. “It has overwhelming support.”