After months of stalling due to privacy concerns, last-minute changes made to the Senate’s cybersecurity bill have caused the tech industry and privacy advocates to temper their opposition. The bill’s path to a conference committee and final passage is clearer now than it has been all year.
The Senate is now expected to pass a cybersecurity bill Tuesday after months of delay. A House aide says lawmakers hope to move quickly to a conference committee.
Two cybersecurity bills passed the House in April. One came from the House Homeland Security Committee, and one came from the House Intelligence Committee. Representatives from the tech industry prefer the Homeland Security’s version because it has provisions they say keep it from becoming a surveillance bill. The two versions have been combined into one package for the purposes of a conference committee, according to the aide.
The various versions will mean lobbyists will be paying close attention to what’s in and what’s out during conference talks. Outside advocates say it will be critical to keep the provisions that made the Senate version of the bill acceptable to them.
Last week, the Senate voted 83-14 to move forward on its cybersecurity bill after Senate Intelligence Committee Chairman Richard Burr (R-N.C.) and Vice Chairman Sen. Dianne Feinstein (D-Calif.) made changes to it. The changes integrated new privacy protections in an attempt to bring opponents, specifically the tech industry, on board.
It worked. Tech industry sources told Morning Consult that Burr and Feinstein’s changes answered many of their concerns. From a tech perspective, at least, these changes have made passage of the bill acceptable.
One source said the manager’s amendment included new privacy checks that were lacking in the original version. While the tech industry isn’t going so far as to give a public endorsement of the bill, they are pleased with the big changes.
Privacy advocates are less enthusiastic. Greg Nojeim, senior counsel and director of the Center of Democracy and Technology’s Freedom, Security and Technology Project, said in an interview Monday that while no privacy groups could support the bill, the amendments made to the bill were improvements.
“All the improvements to the bill are along those lines,” Nojeim said. “They make [it] not as bad,” he added.
The bill, S. 754, would incentivize private companies to share information with federal agencies when there is a cyber threat by providing protection from any potential lawsuits.
Adding protections for user’s personal information was the big change that brought techies on board. They still hope that the Senate will pass an amendment from Sen. Thomas Carper (D-Del.) that would require all federal agencies to agree to a protocol in which the Department of Homeland Security could delay real-time sharing to other agencies. That looks likely to happen.
Tech advocates also hope that two amendments will pass Tuesday before senators vote on final passage. The first comes from Sen. Ron Wyden (D-Ore.), an outspoken opponent of the legislation. His amendment aims to bring increased responsibility for companies to remove personal information from their data before sharing it with government agencies.
Wyden says the bill’s current language, which requires a company to remove any personal information “it knows” is unrelated to a cyber threat before sharing it, is problematic. “This language, in my view, clearly creates an incentive for companies to dump large quantities of data over to the government with only a cursory review,” Wyden said in a floor speech last week.
His amendment would replace that provision with language obliging companies to remove personal information “to the extent feasible.” Tech and privacy advocates prefer this option.
The second is an amendment from fellow privacy-conscious Democrat, Sen. Al Franken (D-Minn.). Franken’s amendment seeks to clarify the definition of “cyber threat indicator.” Franken says the way the bill is currently written applies to any “threat,” even if there is no realistic risk posed. His amendment would require the threat be “reasonably likely” to be harmful to security for it to be shared.
Amendments or no amendments, the bill is almost certain to pass. Even privacy advocates are resigned to the bill getting through the Senate.
Instead of trying to halt the bill’s progress, opponents are now focused on how to amend when the Senate conferences with House members to create a final version.
The House passed two similar information-sharing bills, H.R. 1560 and H.R. 1731, in April of this year. Nojeim said the biggest difference between the two is that in the Homeland Security bill, sharing a cyber threat indicator can’t be used to prosecute other crimes. “That’s really the surveillance aspect of the [other] bills,” he said.
Tech and privacy advocates worry that a speedy conference could see the worse aspects of the various versions come together. “The fear is that the members who reconcile the two bills will cherry-pick the provisions that are least good for privacy and the result will be the worst of both worlds” Nojeim said. “That’s certainly a possibility.”
Some in the tech industry are fine with both House measures, though. The Information Technology and Industry Council, a group representing big names in tech including Facebook, Twitter, Apple, Google and Microsoft, wrote a letter to House leadership in late April supporting the two House cybersecurity bills.
“Our members recognize we must protect and defend networks to enhance cybersecurity,” the letter said. “ITI firmly believes that passing legislation to help to increase voluntary cybersecurity threat information sharing between the private sector and the federal government, and within the private sector, is an important step Congress can take to enable all stakeholders to address threats.”