A Senate bill to beef up cybersecurity in the wake of a massive breach that exposed the personal data of millions of Americans is putting the Obama administration at odds with key Democratic lawmakers and privacy advocates.
The White House renewed its push for additional cyber legislation when the Office of Personnel Management revealed in June that hackers compromised the sensitive information of more than 22 million Americans.
Majority Leader Mitch McConnell, R-Ky., plans to bring to the floor a bill as early as Tuesday outlining how the government and private sector can share information about cyber threats and hacks.
The Cybersecurity Information Sharing Act, or CISA, has the White House’s backing, much to the chagrin of some Democrats, including Sens. Ron Wyden, D-Ore., Patrick Leahy, D-Vt., and Al Franken, D-Minn.
CISA “is not a cyber bill, it is a surveillance bill,” Wyden said during a conference call organized by privacy advocates.
The bill would protect businesses from liability claims when they share information that can help bolster cybersecurity but doesn’t do enough to protect Americans’ private information that might get shared with the government as well, Wyden said.
The OPM hacks showed that the government isn’t capable of handling the information it already has, Wyden argued, and said the idea of having “companies cough up more of your private information” didn’t “pass the smell test.”
Democrats and Republicans are hoping to offer amendments that would boost the bill’s privacy measures.
A senior administration official said that, “While there are still areas of concern that we hope to address, the bill’s sponsors have made a good faith effort to address some of our biggest concerns. … We are very encouraged by this progress and want to work with Congress to ensure that cybersecurity legislation preserves the long-standing, respective roles and missions of civilian and intelligence agencies and contains appropriate privacy protections.”
The official continued, “Cybersecurity is an important national security issue and the Senate should take up this bill as soon as possible and pass it.”
That puts the White House at odds with the Homeland Security Department, which outlined its reservations about the bill in a letter to Franken.
The agency runs the National Cybersecurity and Communications Integration Center, which “serves as a central hub for cybersecurity information sharing between federal agencies, the private sector, law enforcement and the intelligence community,” according to Alejandro Mayorkas, the deputy Homeland Security director who signed the letter.
The Senate legislation would distribute cyber threat information across government agencies instead of preserving the Homeland Security center as the central repository. That “will increase the complexity and difficulty of a new information-sharing program,” Mayorkas wrote.
Furthermore, “permitting sharing directly with law enforcement and intelligence entities will be of significant concern to the privacy and civil liberties communities,” Mayorkas wrote.
Even with a manager’s amendment aimed at allaying privacy concerns introduced on Monday, advocates who have inundated lawmakers with more than 6 million faxes against the bill are not placated.
The changes “won’t stop the government from instantly passing along information to intelligence agencies,” said Nathan White, spokesman for Access, an online privacy group. “Law enforcement can still use information to prosecute whistleblowers under the Espionage Act.”
White argued, “The bill retains broad liability protection for organizations violating the privacy rights of their users. It still permits defensive measures with harmful external affects. It still lacks transparency.”
The DHS letter “makes it overwhelmingly clear that, if the Senate moves forward with this cybersecurity information-sharing bill, we are at risk of sweeping away important privacy protections and civil liberties,” Franken said on Monday in making the letter public.
The letter was the Homeland Security Department’s response to a list of questions Franken, the top Democrat on the Senate Judiciary Committee’s privacy panel, sent on July 1.
Wyden said he understands the motivation behind the legislation but said the bill passed out of the Senate Intelligence Committee in March with only one dissenting vote — his — is not the right answer.
“Clearly, elected officials are under a lot of pressure to have some kind of response … to the OPM hack,” he said. “The federal government needs to step up its game” to protect its data “but this is the wrong approach.”
