But Congress will be under pressure to act with concerns about cybersecurity only growing more intense.
Washington is reeling from recent large-scale hacks that have compromised the U.S. government – most recently to the Office of Personnel Management’s databases, a breach that exposed the personal details of over 22 million people — and foreign espionage outfits in China and Russia have already been sniffing out U.S. intelligence operatives by culling and cross-referencing information from such hacks, the Los Angeles Times reported Monday.
But the long-running debate over cybersecurity has never evaded controversy. The government and intended corporate participants are big boosters, but civil liberties groups and privacy advocates are skeptical of the how well the bill protects individuals.
With the House cybersecurity legislation already done and the Senate agreed on a list of 22 amendments it will consider, there’s not a lot left to figure out in terms of logistics. But if the Senate passes its bill there is potentially a complicated conference process on the horizon. Before getting to that point, the Senate has a few contentious amendments to consider that if adopted could throw off the delicate balance of the bipartisan deal – and send Congress back to the starting line on cybersecurity.
The most vocal critics of the legislation are the Hill’s privacy advocates, who are wary of what will happen with all the information that corporations would share with the government.
Sen. Ron Wyden’s (D-Ore.) amendment is perhaps the stiffest, demanding companies “remove, to the extent feasible, any personal information of or identifying a specific individual… that is not necessary to describe or identify a cybersecurity threat.”
But Republican Sen. Dean Heller’s (R-Nev.) proposal isn’t that far behind, requiring companies to remove information about specific individuals the company “reasonably believes” – instead of “knows” – doesn’t pertain to a cybersecurity threat.
If corporations can’t quite figure out where the line is between threat and not, another pair of amendments shifts the burden of proof to the government. Sen. Chris Coons (D-Del.) would require DHS to limit the dissemination of personal information contained in shared data and scrub clean any information that “is known not to be directly related” to cybersecurity threats being investigated. Sen. Tom Carper (D-Del.) has an amendment allowing the department to delay certain information transfers in order to pay better attention to privacy.
Another group of potential boat-rocking amendments concerns the liability of corporations sharing the information, but not all of them come from privacy advocates.
Sen. Tom Cotton (R-Ark.) proposed an amendment to give corporations legal cover to share information with the FBI or the Secret Service. It’s a touchy subject, as some of the information that DHS collects will likely end up there, but DHS opposes sharing this data with multiple agencies and the amendment would cause an uproar in pro-privacy circles.
A group of Democratic lawmakers will propose an amendment that would have the opposite effect, shifting more legal risk to companies sharing information with DHS. Sens. Al Franken (D-Minn.), Patrick Leahy (D-Vt.) and Wyden would let companies share only information “that is reasonably likely to result” in a cybersecurity breach – meaning companies would have to make that determination, potentially exposing themselves to court challenges, especially if Leahy’s amendment is adopted that would prevent shared information from being exempt from the Freedom of Information Act.
Finally, Sen. Rand Paul (R-Ky.) has an amendment insisting that if a company has a privacy guarantee in a user agreement, that takes precedence over any information-sharing program. That will draw the ire of the business community, for whom liability protections are a key.
The rest of the amendments to the cybersecurity bill pose fewer direct challenges to the legislation. Extra money for cybersecurity at OPM after that massive hack, for example, may not end up being an easy vote, but it also will likely not make or break the cybersecurity bill. Similarly, amendments to commission reports about cybersecurity may have their naysayers, but win or lose, those amendments shouldn’t rock the balance.
But a few outlier amendments could create headaches for the bill’s managers. Sens. Jeff Flake (R-Ariz.) and Franken want to sunset the legislation after six years, giving Congress a built-in chance to assess and edit itself, but potentially irking companies planning their activities more than six years out. And there are concerns that a Sen. Chris Murphy (D-Conn.) amendment to give foreign citizens of U.S. allies the right to challenge personal data collection in American courts would set too broad a legal precedent for claiming civil remedies.