Responding to Sony Hack, Senate Advances Major Cybersecurity Bill

The Senate Intelligence Committee passed a controversial information-sharing measure Thursday, despite fears it could embolden more NSA spying.

National Journal
Dustin Volz
Add to Briefcase
Dustin Volz
March 12, 2015, 12:24 p.m.

The Sen­ate In­tel­li­gence Com­mit­tee ap­proved a bill Thursday seek­ing to in­crease the shar­ing of di­git­al data between the gov­ern­ment and private sec­tor, mark­ing the first ser­i­ous move to up­grade the na­tion’s cy­ber de­fenses since the crip­pling hack on Sony Pic­tures late last year.

In a closed-door meet­ing, the pan­el ad­vanced 14-1 the Cy­ber­se­cur­ity In­form­a­tion Shar­ing Act, which would provide ex­pan­ded leg­al li­ab­il­ity to com­pan­ies so they more eas­ily share di­git­al data with the gov­ern­ment—an ar­range­ment the bill’s back­ers say would help de­tect, pre­vent, and re­spond to cy­ber in­tru­sions.

The bill’s pas­sage comes des­pite con­cerns from pri­vacy ad­voc­ates that the meas­ure will bol­ster the gov­ern­ment’s powers to con­duct even more sur­veil­lance on Amer­ic­ans.

Sen­ate In­tel­li­gence Com­mit­tee Chair­man Richard Burr called the vote a “truly his­tor­ic” step for­ward that will al­low com­pan­ies to de­ploy “dif­fer­ent de­fense mech­an­isms” to block and lim­it cy­ber­at­tacks.

“This bill will not pre­vent [all cy­ber­at­tacks] from hap­pen­ing,” Burr told re­port­ers. But he ad­ded that the le­gis­la­tion would have gone a long way in min­im­iz­ing the dam­age wrought by re­cent hacks on com­pan­ies ran­ging from An­them In­sur­ance to Home De­pot.

Only Demo­crat­ic Sen. Ron Wyden, a staunch civil-liber­ties ad­voc­ate, op­posed the meas­ure, call­ing it “a sur­veil­lance bill by an­oth­er name.”

“Cy­ber­at­tacks and hack­ing against U.S. com­pan­ies and net­works are a ser­i­ous prob­lem for the Amer­ic­an eco­nomy and for our na­tion­al se­cur­ity,” Wyden said in a state­ment im­me­di­ately after the vote. “It makes sense to en­cour­age private firms to share in­form­a­tion about cy­ber­se­cur­ity threats. But this in­form­a­tion shar­ing is only ac­cept­able if there are strong pro­tec­tions for the pri­vacy rights of law-abid­ing Amer­ic­an cit­izens.”

The vote marks Con­gress’s first ma­jor step on cy­ber vul­ner­ab­il­it­ies since last year’s Sony hack made data se­cur­ity a top pri­or­ity for the White House and law­makers in both parties. It also ar­rives amid a string of hacks, such as the re­cent theft of data of some 80 mil­lion An­them In­sur­ance cus­tom­ers.

Sen­ate lead­er­ship has in­dic­ated it wants to move quickly on the in­form­a­tion-shar­ing bill. An aide for Sen­ate Ma­jor­ity Lead­er Mitch Mc­Con­nell said the le­gis­la­tion was a “pri­or­ity” but did not yet have a timetable for hit­ting the floor. Burr in­dic­ated a floor vote could hap­pen as soon as April.

“14-1 means I have all the con­fid­ence in the world to go to Sen. Mc­Con­nell and get this ex­ped­ited,” Burr said.

The meas­ure still faces sev­er­al po­ten­tial road­b­locks—and chief among them are the pri­vacy con­cerns that helped stall the bill’s pro­gress last sum­mer.

After the Sen­ate in­tel­li­gence com­mit­tee passed a sim­il­ar ver­sion on a 12-3 vote, that bill failed to gain trac­tion amid con­cerns that it would pave the way for com­pan­ies such as Google and Face­book to share more per­son­al data with in­tel­li­gence agen­cies. Un­der the bill, cy­ber in­form­a­tion is routed through the De­part­ment of Home­land Se­cur­ity, which can then be shared in real-time with oth­er gov­ern­ment agen­cies.

“This isn’t an in­form­a­tion shar­ing bill at all,” Gabe Rottman, a le­gis­lat­ive coun­sel with the Amer­ic­an Civil Liber­ties Uni­on, said in a state­ment. “It’s a new and vast sur­veil­lance au­thor­ity that might as well be called Pat­ri­ot Act 2.0 giv­en how much per­son­al in­form­a­tion it would fun­nel to the NSA,” he ad­ded, re­fer­ring to the post-9/11 le­gis­la­tion un­der which the in­tel­li­gence com­munity de­rives much of its spy­ing au­thor­ity.

Des­pite the push­back, in­form­a­tion-shar­ing has leapfrogged oth­er policy pri­or­it­ies in re­cent months—both in Con­gress and at the White House—due largely to the Sony breach, which gov­ern­ment of­fi­cials pub­licly blamed on North Korea. Law­makers of both parties have said the Sony hit awakened them to the im­port­ance and ur­gency of passing cy­ber­se­cur­ity le­gis­la­tion, and the is­sue earned some ded­ic­ated at­ten­tion dur­ing Pres­id­ent Obama’s State of the Uni­on ad­dress in Janu­ary.

It is not im­me­di­ately clear wheth­er the White House sup­ports the lan­guage the Sen­ate pan­el ap­proved, however. Though the ad­min­is­tra­tion views in­form­a­tion shar­ing as a key cy­ber­se­cur­ity pri­or­ity, Obama did is­sue a veto threat in 2013 when the House passed a CISA coun­ter­part. The le­gis­la­tion lacked ap­pro­pri­ate pri­vacy safe­guards and ran the risk of grant­ing cor­por­a­tions too much im­munity, the pres­id­ent said at the time.

Sen. Di­anne Fein­stein, the in­tel­li­gence pan­el’s top Demo­crat, told re­port­ers after the vote that she had been in dis­cus­sions with White House chief of staff Denis Mc­Donough and that “he be­lieves a num­ber of im­prove­ments have been made.”

To com­bat pri­vacy con­cerns, the in­tel­li­gence com­mit­tee cir­cu­lated a CISA draft last month that con­tained ad­di­tion­al pro­tec­tions, such as tough­er re­quire­ments on scrub­bing per­son­ally iden­ti­fi­able in­form­a­tion be­fore com­pan­ies can enter in­to the in­form­a­tion-shar­ing ar­range­ment. On Thursday, Fein­stein said that Demo­crats had sub­mit­ted 15 pri­vacy amend­ments, and that 12 had been ac­cep­ted either in part or in full.

CISA’s pas­sage in­dic­ates it is the pre­ferred route for­ward on in­form­a­tion-shar­ing among con­gres­sion­al lead­er­ship. Sen. Thomas Carp­er, the top Demo­crat on the Home­land Se­cur­ity Com­mit­tee, in­tro­duced a sep­ar­ate info-shar­ing bill last month with lan­guage that closely ad­hered to the White House’s re­com­mend­a­tions. But Carp­er in­tro­duced the meas­ure without a single co-spon­sor, and it has yet to gain trac­tion.

Pri­vacy ad­voc­ates gen­er­ally saw the White House pro­pos­al on in­form­a­tion-shar­ing, which was trot­ted out this year, as an im­prove­ment over pre­vi­ous it­er­a­tions of CISA. But some also said they could not sup­port any in­form­a­tion-shar­ing le­gis­la­tion if Con­gress did not first pass sub­stant­ive NSA re­form. Ex­ist­ing au­thor­it­ies to NSA spy­ing un­der the Pat­ri­ot Act are due to sun­set on June 1, mean­ing law­makers will have to act in some fash­ion be­fore then or risk let­ting cer­tain sur­veil­lance pro­grams ex­pire en­tirely.

Skep­tics of the bill passed Thursday were fur­ther agit­ated by the secrecy of the pro­cess. The vote was held dur­ing a closed-door meet­ing—a stand­ard prac­tice for the in­tel­li­gence com­mit­tee.

“The bill is com­plex and it needs a lot of work,” said Greg No­jeim, a seni­or coun­sel at the Cen­ter for Demo­cracy & Trans­par­ency. “The com­mit­tee’s con­sid­er­a­tion of a bill like this, which will im­pact the pri­vacy of In­ter­net users world wide, should nev­er be un­der­taken be­hind closed doors.”

The com­mit­tee is ex­pec­ted to pub­licly re­lease the passed lan­guage Fri­day or Monday, a Fein­stein aide said.

What We're Following See More »
Heller, Paul Won’t Vote on Motion to Proceed
19 minutes ago
CBO Says 22 Million More Would Be UNinsured
2 hours ago

The Senate bill "would increase the number of people without health insurance by 22 million by 2026, a figure that is only slightly lower than the 23 million more uninsured that the House version would create. Next year, 15 million more people would be uninsured compared with current law...The legislation would decrease federal deficits by a total of $321 billion over a decade."

SCOTUS Delivers a Victory for Gay Couples
2 hours ago

"The U.S. Supreme Court on Monday ruled in favor of same-sex couples who complained that an Arkansas birth certificate law discriminated against them, reversing a state court’s ruling that married lesbian couples must get a court order to have both spouses listed on their children’s birth certificates."

Revised Senate Bill Would Add Penalty for Going Uninsured
4 hours ago
58 House Republicans Ask Ginsburg to Recuse on Travel Ban
4 hours ago

The letter reads in part, "There is no doubt that your impartiality can be reasonably questioned; indeed, it would be unreasonable not to question your impartiality. Failure to recuse yourself from any such case would violate the law and undermine the credibility of the Supreme Court of the United States.” Ginsburg said last year, "He is a faker. He has no consistency about him. He says whatever comes into his head at the moment. He really has an ego."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.