Congress doesn’t agree on much these days, but one thing every lawmaker seems to have in common is no one wants his or her email hacked. That’s the theme of the conversation around two cybersecurity bills riding their way through both chambers of Congress on a rare wave of bipartisan support. Both bills are expected to pass next month despite an outcry from nervous privacy advocates.
The U.S. House of Representatives Intelligence Committee unanimously approved a highly anticipated cybersecurity bill Thursday that is co-sponsored by Rep. Adam Schiff, D-Calif., and Rep. Devin Nunes, R-Calif. By all rights, those two lawmakers should never agree on anything: Schiff is a prominent advocate of online surveillance reform and Nunes famously called one National Security Agency critic “al Qaeda’s best friend in Congress.” What makes their agreement more bizarre is that, after near-historic levels of inaction, the Senate Intelligence Committee just approved a similar cybersecurity bill, 14-1.
Both bills are expected to go up for chamber-wide votes by the end of April, the result of a rare bipartisan urgency usually seen only for legislation crafted in the wake of a major event (like the Patriot Act after the Sept. 11 terrorist attacks). That appears to be the case here, with Congress spending the last five years trying and failing to pass a comprehensive cybersecurity law that might’ve stopped the hack on Sony Pictures or Anthem health insurance.
Too Many Loopholes?
But for all the benefits lawmakers keep touting -- liability insurance for hacked companies, increased cooperation between the private and public sectors, improved national security -- the effort behind both bills could all be for naught because of privacy concerns. The Senate bill in particular, known as the Cyber Intelligence Sharing and Protection Act (Cispa), has infuriated privacy advocates who say the bill’s wording creates too many loopholes.
Cybersecurity is unique in a political climate where lawmakers are still bitterly divided on the best way to protect Americans’ personal information.
“That concern about the government is shared by the tea party Republicans and by somewhat left-leaning liberals,” said Robert Jervis, a professor of international politics at Columbia University. “The conservatives have a general sense of a small government and say ‘Look what’s happened,’ whereas the older left remembers Nixon and even McCarthy.”
The Electronic Frontier Foundation has asserted that by using overly vague language and giving companies new immunity power, Cispa would remove safeguards meant to prevent companies from sharing customer data without permission. They also deemed it redundant after President Barack Obama signed two executive orders this year mandating more communication on threat information.
“First, [Cispa] authorizes companies to launch countermeasures (now called ‘defensive measures’ in the bill) for a ‘cybersecurity purpose’ against a ‘cybersecurity threat,’” EFF Legislative Analyst Mark Jaycox wrote in a blog post. “‘Cybersecurity purpose’ is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a ‘cybersecurity threat,’ which includes anything that ‘may result’ in an unauthorized effort to impact the availability of the information system.”
Privacy advocates are slightly more optimistic about the House bill.
Dubbed the Protecting Cyber Networks Act, the legislation would require personal information to be “scrubbed” twice before it was transmitted to the Department of Homeland Security, lawmakers told Reuters.
Willing To Sacrifice Privacy
Yet, while privacy groups are still looking through the bill, the American Civil Liberties Union said it could still be possible for spy agencies to access personal information that has no relevance on cybersecurity.
Americans, for the most part, don’t seem to care. Polls have consistently shown that U.S. citizens are willing to sacrifice their privacy if it helps the government investigate foreign security threats. A Washington Post-ABC News poll in January found that the public thinks it’s more important to investigate possible terrorist threats than to not intrude on personal privacy, by a margin of 63 percent to 32 percent. That feeling has largely been reflected in Washington since the Sept. 11 attacks.
Differences between the bills would need to be resolved before a final version goes to Obama, who threatened to veto earlier versions of Cispa in 2012 and 2013, citing privacy concerns. Nunes admitted the House bill’s best hope of passing might be when a new president takes office in 2017.
All of which might be trumped by the simple need to do something -- anything -- to slow down the embarrassment that comes with major data breaches. Jervis added that, as the Republican-controlled Congress sets the stage for the 2016 presidential election, its members are still trying to prove they can govern.
“The very fact that there aren’t many issues where Congress can do something might be an issue where if they simply prove they can do it they might find some momentum on it,” he said. “It’s hard to think of an issue where there’s this much agreement.”