After a trip through Congress that went relatively smoothly in the first part of the year, cybersecurity legislation is set to finally cross the finish line, but with a few more bumps.
Its inclusion in the $1.1 trillion omnibus package, set to pass Congress this month, has met with approbation from advocates and opprobrium from critics. “These House-passed policies becoming law is an important step to increase our defenses against damaging cyberattacks,” Majority Leader Kevin McCarthy, R-Calif., said in a statement late on Wednesday.
On the other side, critics, including Reps. Justin Amash, R-Mich., John Conyers, D-Mich., Zoe Lofgren, D-Calif, Jared Polis, D-Colo., and Blake Farenthold R-Texas, sent a letter to fellow lawmakers condemning the text of the legislation, which has changed at a rapid pace.
“What was intended to be a cybersecurity bill to facilitate the sharing of information between the private sector and government was instead drafted in such a way that it has effectively become a surveillance bill, and allows information shared by companies to be used by the government to prosecute unrelated crimes,” the group wrote to their colleagues.
Yet leaders on the House Intelligence Committee, including Chairman Devin Nunes, R-Calif., and Ranking Member Adam Schiff, D-Calif., have insisted the final product will speak to some of the concerns that skeptics have expressed. That includes the complaint that information the legislation permits companies to share with government could include too much personally identifiable information, rather than aggregated data.
“It is difficult to overstate the threat posed by bad cyberactors to our security, our privacy and our economy,” Schiff said. “After several years of effort, Congress has now produced a bipartisan cyber bill that allows the private sector and government to share information about malicious intrusions to protect Americans from further harm. The bill contains the strongest privacy protections to date.”
The legislation that gave birth to the current text was the Cybersecurity Information Sharing Act, passed 74-21 by the Senate in October, H.R. 1560, passed by the House 307-116 in April, and H.R. 1731, which also passed the lower chamber that month 335-63.
The House versions gathered greater consensus, in part, because they were more responsive to concerns from privacy advocates, safeguarding consumers’ personal information and requiring it to filter through a hub of the Department of Homeland Security.
Evan Greer, the executive director of Fight for the Future, a group opposed to the bill, suggested to the Washington Examiner that the more recent product will allow companies to share information with entities like the National Security Agency and the Department of Defense, and remove a prohibition on using the information for “surveillance” activities.
“Gutting the already insufficient civil liberties protections that the bill offered has made it clear that this is a mass incarceration bill that will empower the government to prosecute and jail people using the data they collect,” Greer said in a statement, “for a wide range of offenses that have nothing to do with cybersecurity or terrorism.”
