WASHINGTON—The massive year-end spending measure includes a provision that will encourage companies to share cyber threat information with the government while providing them with liability protections for not acting on information received.
The measure, a culmination of several years of effort to pass a cyber bill, brings together three different versions that passed the House and Senate earlier this year with hefty bipartisan support. It was released early Wednesday morning.
The Cybersecurity Act of 2015 largely hews to the Senate version of the bill, which passed despite concerns about privacy and transparency from some senators and technology companies, such as Apple and Yelp.
But there are some changes.
The bill allows the president to designate an agency other than the civilian Homeland Security Department to act as a portal for sharing cyber threats with the government only if DHS cannot and it is necessary. However, the Defense Department, including its National Security Agency, is specifically excluded from becoming an alternate portal.
Rep. Adam Schiff, D-Calif., the ranking member of the House Intelligence Committee, urged lawmakers to support the bill and said it was a major improvement over what was put forward last session, which he said lacked privacy protections.
“The bill is very protective of privacy while also doing a lot to help companies protect themselves from cyberattack,” Schiff said. “We have to measure this against the daily invasion of our privacy by these hackers. Those who believe that perfect should be the enemy of the good, have to justify how they’re willing to accept rampant hacking into our privacy and do nothing about it.”
The bill’s liability protections are meant to incentivize data sharing with the government, and offset a major reason why prior bills have failed to pass. Supporters of the cyber sharing bill say it’s necessary to raise the cost to an attacker and ensure the same threats aren’t repeatedly deployed.
The bill also calls on businesses and the government to remove, or scrub, personal identifiable information from threat data before sharing that information.
The first scrub is done by the company when it shares with the Homeland Security Department, and the second when DHS passes it on to other agencies. However, if the cyber threat pertains to a specific threat of the loss of life, economic damage, serious injury or the effort to prosecute or prevent the exploitation of a minor, the personal identifiable information may be passed on.
Sen. Ron Wyden, D-Ore., called the bill “even worse” today, lacking meaningful privacy protections to ensure personal information isn’t passed on and doing little to prevent major hacks.
“Americans deserve policies that protect both their security and their liberty. This bill fails on both counts,” Wyden said.
The ACLU called the cyber bill “a surveillance bill by another name.”
“Instead of passing reforms that would have stopped the Anthem or OPM (Office of Personnel Management) hack, Congress has chosen to advance legislation that places the privacy of Americans in further peril,” it said in a statement, warning that information could be used for criminal prosecutions unrelated to cybersecurity.
The White House has supported prior language in the cybersecurity bill.
Also included in the spending measure is the Intelligence Authorization Act, which matches language in a bill that passed with overwhelming support in the House earlier this month. The bill authorizes a 7 percent spending increase for intelligence agencies and presses President Barack Obama to produce a strategy to defeat the Islamic State.
The bill also restricts the president’s privacy and civil liberties oversight board from obtaining information about covert CIA operations and requires regular reports to Congress describing the numbers of foreign fighters going to and from Syria and Iraq.
The House is scheduled to vote Friday on the omnibus bill.