Cybersecurity legislation may face tough road

Erin Kelly | USA TODAY

WASHINGTON — Feeling pressure to act, Congress is struggling to pass a cybersecurity bill in the wake of this year’s massive hacks that stole the data of millions of government workers, taxpayers and consumers.

But continuing concerns about the bill’s impact on privacy rights — combined with a packed legislative calendar — could derail passage of the legislation in this Congress, supporters and opponents say.

“I think time is very much against us,” said Matt Eggers, who handles cybersecurity issues at the U.S. Chamber of Commerce and is pushing for lawmakers to pass a bill. “Our biggest challenge right now is to get it to the Senate floor for a vote in September. If we do that, then I think we have a pretty good shot.”

Congress is facing a daunting to-do list when it returns to work Sept. 8, including votes on the Iran nuclear deal and passing a bill to fund the government past Sept. 30. Lawmakers also are preparing for the first-ever papal address to Congress by Pope Francis on Sept. 24.

When the Senate left town in early August for a monthlong recess, it abruptly stopped debate on the Cybersecurity Information Sharing Act, which would encourage the voluntary sharing of cyber threat information among private companies and between companies and the government.

Senate Majority Leader Mitch McConnell, R-Ky., had been wrangling with Minority Leader Harry Reid, D-Nev., over what amendments would be allowed to come up for a vote. McConnell said the Senate will take up the bill again when it returns and consider 21 amendments.

Sen. Ron Wyden, D-Ore., has offered two amendments to strengthen the bill’s privacy protections but said he still believes the legislation is unnecessary and could do more harm than good. He said he fears lawmakers are rushing to pass a flawed bill in the wake of the recent attack that compromised the data of 21.5 million people whose records were stored by the Office of Personnel Management.

“Everybody understands that with the OPM hack there’s going to be a push to do something,” Wyden said. “Nobody wants to look soft on cyber attacks. The problem is that our best technologists out there say this is not going to stop the hacks or protect people’s information. But it is going to create an invasion of people’s privacy.”

Privacy rights advocates say the bill would result in the personal information of millions of Americans being turned over to the federal government without their consent. The bill offers liability protection to shield companies from lawsuits for sharing their customers’ information.

“The bill gives private companies sweeping legal protections when they share personal consumer information with the government for cybersecurity purposes, which are broadly defined,” said Gabe Rothman, a legislative counsel and policy adviser for the American Civil Liberties Union. “The requirements that companies strip out irrelevant private information are weak. Once shared with the government, law enforcement and intelligence agencies can use it for numerous non-cyber purposes.”

The bill’s authors said they have beefed-up privacy protections in the latest version of the legislation. One big change is that federal law enforcement officials would no longer be able to use the data to investigate crimes that have nothing to do with cybersecurity. An earlier version would have allowed agents to use the information to investigate crimes such as carjacking and drug running that involves weapons.

“This is not a surveillance bill,” said Senate Intelligence Chairman Richard Burr, R-N.C., whose bipartisan legislation was approved 14-1 by the Intelligence committee. “We're here because the American people's data is in jeopardy if government doesn't help to find a way to minimize the loss.”

Eggers said that privacy advocates should be more concerned about hackers stealing people’s private data.

“If they’re so concerned about privacy, where’s their outrage over the OPM attack?” he said.

Wyden has been pressing top federal counterintelligence officials about what steps the National Counterintelligence and Security Center took to protect OPM records from suspected Chinese hackers. He said a stronger cybersecurity strategy by the government is what’s needed most.

“That’s the sensible place to start,” he said.

Burr said the Cybersecurity Information Sharing Act would not prevent cyber attacks such as those against OPM and the IRS, which was hacked by thieves who accessed as many as 334,000 taxpayer accounts.

“I’m not sure we could craft anything to do that (prevent attacks),” Burr said. He said the bill’s aim is to minimize the damage done by hackers by sharing threat information as widely as possible so that attacks can be stopped before they spread to other government agencies or companies.

Eggers said the business community, which has been hit hard by attacks on Target, Home Depot, Anthem health insurance, JPMorgan Chase and others, sees this fall as the best chance to get a bill passed in this Congress.

“Next year is an election year, and nothing is going to get done then,” he said. “If it’s going to happen, it has got to be soon.”

Follow @ErinVKelly on Twitter