Senate sponsors of a stalled cybersecurity bill are touting a swath of new provisions added in recent weeks in an attempt to sway undecided lawmakers. The changes also are intended to highlight the bill’s commitment to privacy protection.
Senate leaders plan to wrap up debate and pass the measure early next week. But first they need to overcome some procedural hurdles from opponents, who appear to be in the minority.
Sen. Dianne Feinstein (D-Calif.), Vice Chairman of the Senate Intelligence Committee, wrote the bill with Chairman Richard Burr (R-N.C.). She spent much of her time on the Senate floor Wednesday outlining the changes.
Feinstein said the new version of the bill “is really a major effort” to encapsulate what members from both political parties told them. Many of the amendments that individual senators proposed earlier in the year are now in the new version.
“I think the numbers are about equal for Republican and Democratic amendments that are incorporated,” Feinstein said. “I want the record to reflect what this does, it’s very important, at least to me.”
“I do this to show we have listened to people, and we have tried to include this. And so nobody should feel we are ramming through a bill, that we haven’t considered others,” Feinstein added.
The bill aims strengthen American cybersecurity by providing legal liability protections for private entities that wish to share information with the government when a cyber threat indicator is present.
This is the third time that the bill, S. 754, has been on the Senate floor this year. First, it was considered and then rejected as part of a defense authorization bill. Then it came to the floor as a free-standing measure in July.
Senate Majority Leader Mitch McConnell had planned to pass it before the August recess, but the debate became tripped up over questions from some lawmakers — the most vehement was Sen. Ron Wyden (D-Ore.) — over customers’ lack of control over their data. McConnell was forced to pull the unfinished bill from the floor.
Since then, major tech organizations that represent the likes of Google and Apple have come out against the measure, citing fear of “collateral harm” to Internet users.
The information sharing program is voluntary, Feinstein reiterated multiple times on the Senate floor Wednesday, a point she and Burr have pressed for weeks to soothe privacy advocates’ worries. “It’s hard for me to understand why we have companies like Apple and Google and Microsoft and others saying they can’t support the bill at this time,” Feinstein said. “You have no reason, because you don’t have to do anything. There are companies by the hundreds, if not thousands, that want to participate in this. This we know.”
Lately, Wyden has been the almost the only vocal Senate voice opposing the bill. He has coined the term “surveillance bill,” which he regularly uses with reporters and in floor speeches.
Feinstein took this accusation head-on. She said one change in the new version would clarify that cyber information shared with the government could not be used to prosecute non-cyber related crimes. She called the revision “a very significant privacy change.”
“We made this change because it has been a top bipartisan concern, and the [earlier] provision had been used by privacy groups to claim that this is a surveillance bill. This is not a surveillance bill,” she said.
The new bill also takes steps to ensure that personal identifying information is stripped from any data shared with the government. That is another major concern for governments.
The latest version of the bill calls for a real-time filter in a portal where shared private-sector information would go. This filter would take out anything related to personal information before the data goes to federal agencies to be examined for cyber threats.
The changes did little to convince Wyden, who continues to oppose the bill. “There were a number of smaller changes to the bill, but the substitute amendment did not address Sen. Wyden’s core concern — that [the bill] lacks strong protections for individuals’ privacy,” Wyden’s spokesman, Keith Chu, said in an email Wednesday.
On the Senate floor, Wyden questioned a provision that says a company must review the data provides to the government and remove any information that it knows is personal and unrelated to a cyber threat. “This language, in my view, clearly creates an incentive for companies to dump large quantities of data over to the government with only a cursory review,” Wyden said. “This bill says, ‘With respect to personal data, when in doubt, you can hand it over.’”
Wyden has offered an amendment to require companies to remove, “to the extent feasible,” any information that identifies an individual unrelated to a cybersecurity threat.
Other Democrats are supportive. Sen. Bill Nelson (D-Fla.) said Wednesday that he believes the bill balances the “urgent need” to protect against cyberattacks with privacy concerns.
“What happened to Sony will happen to numerous businesses,” Nelson said, referring to the massive hack Sony Pictures Entertainment suffered last year. “It’s here, and we’re gonna pass it this week,” he added.
Sen. Angus King (I-Maine), who caucuses with the Democrats, weighed in with his support. “We have to take action today. No business is immune. No individual is immune. And of course this country is not immune. The price of inaction is just too high,” he said. “Some people say that it compromises privacy. I don’t think it does.”