The U.S. Senate Intelligence Committee approved a cybersecurity bill during a secret session on Thursday, marking the next step in a process that critics warn will nefariously expand the government's already substantial surveillance powers.
The Cybersecurity Information Sharing Act (CISA), which passed by 14-1 vote, would ostensibly protect against large-scale data thefts of private consumer information, exemplified by recent hacks of Target, Sony, and Home Depot. But critics—including the lone dissenting voice on the committee Sen. Ron Wyden (D-Or.)—say it would open the door for continued invasive and unlawful government spying operations.
Although Wyden denounced the measure as "a surveillance bill by another name," his opposition was unable to stop the proposal from being approved by the committee. The bill, which reportedly underwent a dozen changes during the meeting, will next go to the full Senate for debate. Its passage in committee, however, means it has already succeeded where other recent cybersecurity proposals have failed.
Committee chairman Sen. Richard Burr (R-N.C.) told reporters after the vote that CISA would allow for private-to-private, private-to-government, and government-to-private information sharing, "in a voluntary capacity."
"This current bill is critically important both for our agencies that keep the country safe, and the institutions that hold millions of Americans' personal information," Burr continued.
However, as ACLU media strategist Rachel Nusbaum noted on Thursday, making information-sharing "voluntary" during criminal proceedings means that the government would be able to obtain private data without a warrant.
That includes any instance in which the government uses the Espionage Act to go after whistleblowers, who, according to Nusbaum, "already face, perhaps, the most hostile environment in U.S. history." The new measure, she continued, "fails to limit what the government can do with the vast amount of data to be shared with it" by the these companies." Nusbaum called the measure "one of those privacy-shredding bills in cybersecurity clothing."
"This bill is arguably much worse than CISPA [Cyber Intelligence Sharing and Protection Act] and, despite its name, shouldn't be seen as anything other than a surveillance bill—think Patriot Act 2.0," Nusbaum said.
Thursday's meeting was closed to the public, but Wyden emerged after the vote and warned the bill "lacks adequate protections for the privacy rights of American consumers, and that it will have a limited impact on U.S. cybersecurity."
Sen. Dianne Feinstein (D-Calif.), the ranking Democrat on the panel, said Thursday that the newest version of the bill would allow companies to defend themselves against cyberattacks but would prohibit them from taking "countermeasures" if a breach occurred.
The Wall Street Journal writes:
The bill would attempt to funnel corporate intelligence about cybersecurity threats and breaches through the Department of Homeland Security, an important distinction for many companies that don’t want the data to be housed in a military agency or an intelligence agency. DHS could share the information, if applicable, with other companies or other federal agencies, though it is supposed to be scrubbed to prevent the transfer of personal data about consumers.
Companies could also provide data to the NSA as long as it wasn't in "electronic form," according to Burr. If private customer data "finds its way to the federal government" following a hack, Burr added, "once we distribute it in real time and we realize there's personal information, any company that discovers it has to remove it or minimize it in a way that it can’t be shared anywhere else."
A draft (pdf) of the measure released last month was met with resistance from privacy advocates who said its vague language could give license to the government to increase unwarranted surveillance of U.S. citizens. Burr and Feinstein said Thursday the new version of the bill takes those concerns into account—but the privacy community was hesitant to follow such praise without seeing the final version of the measure.
"We are glad that the Senate Intelligence Committee heard the privacy community's concerns, and we're eager to see if the changes to the bill will adequately address the significant threats to privacy and internet security that CISA has raised," Robyn Greene, policy counsel with New America's Open Technology Institute, said in a statement Thursday. "Based on how dangerously broad and vague the last version of the bill was, it would be surprising if the bill agreed to in secret today will garner the support of the privacy community."
Greene called the earlier draft "as much a backdoor for surveillance as it is a cybersecurity information-sharing bill."
In an interview with Wired on Thursday, she criticized the secretive nature of the meeting, stating, "This bill has the potential to seriously harm Americans' privacy rights and it wasn't even debated in public."