Like clockwork, the Edward Snowden revelations about government surveillance continue to rattle and upend the congressional cybersecurity policy debate at regular intervals.
Just as the business community’s confidence was growing about winning a summer public relations battle over cyber information-sharing legislation, The New York Times and ProPublica published the latest installment in a series of articles based on leaks by the fugitive former National Security Agency contractor.
The story landed as industry groups and digital advocates work feverishly to shape public opinion in advance of a possible Senate floor debate in the fall.
Senate leaders have positioned the info-sharing bill by Intelligence Chairman Richard Burr, R-N.C., and ranking member Dianne Feinstein, D-Calif., for floor consideration perhaps in the second half of September, after debate on the Iran nuclear deal. Similar legislation passed the House in the spring with strong bipartisan support.
A strange-bedfellows group of senators, ranging from Ron Wyden, D-Ore., on the Left to Rand Paul, R-Ky., on the Right, is vowing to fight the bill on privacy and civil liberties grounds.
But just as industry unfurled a “fact versus myth” campaign designed to counter arguments against the bill, the Snowden impact was felt once again.
An Aug. 15 Times story revealed an expansive surveillance relationship between the NSA and AT&T; the company was portrayed as extraordinarily willing to share information with the spy agency, including emails.
“AT&T helped U.S. spy on Internet on a vast scale,” the Times headline read. The telecom giant declined to comment on a “national security” story.
But industry supporters of the so-called CISA bill immediately realized that the story could deliver a serious blow to the cyberlegislation’s prospects in the fall.
It certainly “galvanized” the online privacy community, in the words of one industry source, and fit snugly into the narrative pushed by CISA foes that neither the government nor industry should be trusted to use cyberthreat data for limited cybersecurity purposes.
“If the Cyber Information Sharing Act were to pass, companies like AT&T would be encouraged to share more of their customers’ data with law enforcement and surveillance agencies in the United States without concern about any privacy laws,” said Peter Micek, senior policy counsel at the digital rights group Access. “In fact, the bill creates legal incentives to encourage companies to give more and share more private data. This news should put an immediate halt to consideration of CISA.”
Micek said: “User trust in the information economy has taken a big hit, and privacy is on the ropes. AT&T should apologize to their customers for selling out their rights and take steps to ensure the company respects all human rights. A good first stop on the path to redress would be to pull their support of CISA — a cybersurveillance bill designed to reward these rights-abusing partnerships.”
Industry groups tried punching back. “In my mind, there’s no reason to slow pushing CISA for one second,” said one business lobbyist. “The Times story is limited to a company. The policy and legal underpinnings are different.”
CISA is not about “surveilling law-abiding citizens but about guarding U.S. cybernetworks, respecting privacy, and sharing threat data at Internet speeds,” the industry source said. “There ought to be no impact on CISA. The bill should get taken up the first week the Senate gets back.”
Other industry sources said there are still reasons to believe the bill will advance this fall.
“I’m still optimistic that you can get a bill to the president this year,” said a financial-sector source. For one thing, Senate Majority Leader Mitch McConnell, R-Ky., and Minority Leader Harry Reid, D-Nev., reached agreement on how the bill would be debated, with a total of 21 amendments to be considered.
For another, the White House has called for passage of the bill. The Obama administration never offered support for similar legislation last year.
And, the financial industry source said, “There seems to be a widespread willingness to get this done” among senators.
But concerns about the impact of the latest Times story probably can’t be overstated. The Snowden leaks published by the newspaper and ProPublica played a significant role in derailing last year’s info-sharing bill.
Opponents of the legislation are revving up arguments that this year’s version is also a “surveillance bill” lacking meaningful protections for citizens in cyberspace.
In June, the Times and ProPublica published a report detailing the NSA’s allegedly broad view of its surveillance authorities.
“Those who have said that the cybersecurity bills are not about surveillance have been proven wrong. The new revelations show that the NSA sees surveillance as the flip-side of cybersecurity,” the Center for Democracy and Technology’s Gregory Nojeim said at the time of that report. “Being the victim of a cyberattack should not be a reason for the NSA to collect your communications and mine them for intelligence purposes.”
Amie Stepanovich of Access published a piece last week in Wired hammering at the “involuntary” nature of the bill, when it came to consumers’ unwitting participation in the program or even for companies that sign a cooperative agreement with the government. The legislation “sacrifices peoples’ privacy and security at the altar of corporate liability protection,” Stepanovich wrote.
The industry-based Protecting America’s Cyber Networks Coalition put out its latest “facts versus myth” statement on Aug. 19, explaining that “cyberthreat indicators” typically don’t include personal information — and that such data would be scrubbed if it were included.
Industry groups had hoped a summer of “facts” about the CISA bill would shape the playing field for a successful fall debate. But bill opponents continue to dominate the headlines thanks to ammunition supplied by the leaks.
Some industry sources argue that the short legislative calendar in the fall is the biggest obstacle to passing CISA.
But with another batch of Snowden revelations probably coming in September or October, McConnell may be weighing whether a messy debate over online privacy fits into his schedule.
Charlie Mitchell is editor of InsideCybersecurity.com, an exclusive service covering cybersecurity policy from Inside Washington Publishers.
