After four years of wrangling, Congress appears on the verge of approving cybersecurity legislation that the White House and lawmakers hope will help reduce the threat to the nation from foreign government and criminal hackers.
It would be the first major piece of cyber legislation passed in recent years, but even backers do not pretend it is the silver bullet. Still, they say it is a start to better protecting private sector and government computer systems from costly intrusions.
“It is difficult to overstate the threat posed by bad cyber actors to our security, our privacy and our economy,” said Rep. Adam Schiff (D-Calif.), ranking member on the House Intelligence Committee. The bill, he said, “is the most significant effort by Congress to address the cyber threat to date, and should now become law.”
Intelligence committee leaders in both houses worked a last-minute compromise to insert the legislation into the must-pass omnibus spending bill—which is expected to be voted on by the House on Friday, and then by the Senate.
“How would you feel if there was a cyberattack over Christmas, and we had an opportunity to pass this into law?” said Sen. Richard Burr (R-N.C.), chairman of the Senate Select Committee on Intelligence. “We worked very closely with the White House to get this done as quickly as we could.”
The legislation to promote information-sharing about cyberthreats has been a goal of the Obama administration and Congress for years as the nation has faced one major breach after another–from Target and Sony to the Office of Personnel Management intrusions that compromised the personal data of 22 million individuals.
But the legislation has languished as business and privacy advocates clashed over liability protections and concerns that individuals’ personal information be sufficiently protected.
Earlier this year, the House passed two cybersecurity bills while the Senate passed its legislation in October. The House and Senate bills granted companies different degrees of liability protection from lawsuits for sharing cyber threat data with the government or another company. The bills also set different standards for how and when personal information would be scrubbed from the data shared, and which agency would serve as the collection portal.
The bill’s backers said they added measures to protect privacy. For instance, the Department of Homeland Security, a civilian agency, is the primary portal to collect data from companies. The data may not be shared directly with the National Security Agency or the Defense Department. And information about individuals not related to a cyber threat must be scrubbed.
However, the new bill, at the White House’s urging, includes a provision that allows real-time sharing between DHS and other agencies, such as the NSA. That means that once information is shared with DHS, it can be sent to other agencies right away.
And, privacy advocates say, that may not leave time to scrub the data of personal details. Moreover, they said, the requirement to purge data of personal details was watered down to apply only when the agency “knows” the data is personal and is unrelated to the cyber threat.
The compromise bill also allows the data to be used to prosecute crimes unrelated to the cyber threat, which might include prosecuting leakers. “Once again, members of Congress are using the government funding bill to pursue their extremist agendas,” American Civil Liberties Union executive director Anthony D. Romero said in a statement.
Plans to reconcile the bills were accelerated when the omnibus presented itself as a potential vehicle to carry the legislation. Some lawmakers also said they wanted to resolve the information sharing issue so they could turn their attention to issues such as encryption, a concern that has been raised by national security hawks in the wake of the terror attacks in Paris and San Bernardino.
Some analysts said the bill would improve cybersecurity, especially for government agencies and small businesses, which really need the help. “Large companies have already been sharing information among themselves, but not always with governments or smaller enterprises,” said Stewart Baker, a former senior policy official at the Department of Homeland Security who is now a partner at Steptoe & Johnson. “So I expect this to level the playing field in a good way –by improving the weaker players.”
Nonetheless, Baker said, the bill will not solve the cybersecurity crisis. “Information sharing is just one necessary security measure, not a panacea.”