📷 Key players Meteor shower up next 📷 Leaders at the dais 20 years till the next one
NEWS
Cybersecurity

Privacy concerns delay final passage of cybersecurity info-sharing bill

Erin Kelly
USA TODAY
The U.S. Office of Personnel Management headquarters in Washington, D.C.

WASHINGTON — Final passage of legislation to thwart hack attacks is being delayed as lawmakers clash over how best to protect the privacy of Americans' personal information.

Congress passed three different versions of cybersecurity legislation this year in the wake of high-profile hacks of U.S. companies and the federal government, including the massive attack on the U.S. Office of Personnel Management that compromised the personal data of more than 21 million federal employees, job applicants and their families. Other major hacks targeted Sony Entertainment, Home Depot, JPMorgan Chase, Target, T-Mobile and the Internal Revenue Service.

Despite widespread agreement in Congress on the need to pass a cybersecurity bill, a final compromise on the legislation is taking longer than expected amid disagreements over which piece of legislation has the strongest privacy provisions.

Lawmakers are under pressure from the U.S. Chamber of Commerce and other business groups to pass a bill immediately while some privacy advocates are urging Congress to scrap the legislation entirely.

Senators voted 74-21 in October to approve the Cybersecurity Information Sharing Act, which encourages private companies to voluntarily share cyber threat information with the government and one another. The bill, by Senate Intelligence Committee Chairman Richard Burr, R-N.C., and Vice Chairman Dianne Feinstein, D-Calif., gives companies immunity from lawsuits by shareholders and consumers for sharing the information.

Since then, aides for the Senate Intelligence Committee have been negotiating with House staffers to try to combine that bill with two separate pieces of cybersecurity legislation passed by the House in April.

Supporters of cybersecurity legislation are hoping to bring a final bill to a vote in the House and Senate before Congress adjourns for the year, which should happen sometime next week. There has been talk that the cyber bill could be tacked onto a massive omnibus spending bill to keep the federal government operating through fiscal 2016.

"It's either this scenario or we wait until early 2016, and chamber members definitely prefer seeing passage sooner rather than later," said Matthew Eggers, senior director of the National Security and Emergency Preparedness Department at the U.S. Chamber of Commerce. "The cyber bill won’t stop all attacks, but it will help organizations better protect the Internet and their own information systems by knocking down barriers to sharing and receiving threat data."

Porch shooting defendant grilled by prosecutors

However, a coalition of 19 civil liberties groups, in a letter to President Obama and congressional leaders Wednesday, said they fear that negotiators from the House and Senate intelligence committees are stripping out privacy protections that were in the House Homeland Security Committee version of the bill.

Specifically, coalition members worry that the final bill will be stripped of the requirement that any cyber threat information from the private sector be sent to the Department of Homeland Security, a civilian agency that has stricter privacy regulations than the Pentagon's National Security Agency. The NSA has generated controversy for its mass surveillance of Americans' phone data.

The Homeland Security Committee's bill also has more robust requirements for removing consumers' personally identifiable information before companies share their data with the government or before DHS shares it with other federal agencies, said Evan Greer of Fight for the Future.

"Let me be clear that we do not support any of the three bills and believe that cybersecurity legislation could actually make us more vulnerable to cyber attacks by housing more personal information with government agencies that aren't good at protecting it," Greer said. "But, of the three bills, the House Homeland Security Committee's bill had the strongest privacy protections and was sort of the least terrible."

House Homeland Security Chairman Michael McCaul said Wednesday that he also is concerned that the privacy protections in the bill passed by his committee will be weakened. He said he would prefer to wait and have a formal conference committee made up of House members and senators negotiate a final bill rather than relying on staff talks to try to speed legislation through Congress in the next few days.

"We want DHS to be the lead civilian agency — not the FBI, who can prosecute you; not the NSA, who can spy on you," McCaul, R-Texas, said at a newsmaker breakfast hosted by the Christian Science Monitor.

McCaul said he has warned Republican House leaders that they could lose votes on the 2016 government spending bill if they try to tack on cybersecurity legislation that does not include strong privacy protections.

"We have to be very careful about how we negotiate this," he said.

Rep. Adam Schiff of California, the senior Democrat on the House Intelligence Committee, said negotiators "are very close" to reaching an agreement on a compromise bill. He said he hopes Congress will pass the legislation before it adjourns for the year because "we cannot afford to wait any longer."

"We hope to unveil the finished product as soon as possible," Schiff said Wednesday. "We feel a great urgency to pass an information-sharing bill because of the grave threats to our public and private networks. For me, a chief concern in any info-sharing bill has been maximizing privacy protections, and I believe that this forthcoming legislation will have the strongest privacy safeguards of any cyber bill to date."

Featured Weekly Ad