Controversial Cybersecurity Bill Poised to Pass in Massive Spending Package

Congress is about to take its biggest step yet to bolster cybersecurity, but privacy advocates fear it could expand surveillance.

After years of debate and maneuvering, a major cybersecurity bill is finally on the fast track to approval after lawmakers attached it to a $1.1 trillion government spending package early Wednesday morning.

While business groups and national security hawks are cheering the news, it’s a major blow to privacy advocates, who fear the measure will funnel more of Americans’ personal information into the hands of the National Security Agency.

The legislation, now called the Cybersecurity Act of 2015, would encourage companies to share information about computer viruses and other cybersecurity threats with each other and the government. The bill would shield companies from lawsuits by their users for giving private information to the government as part of the program.

Supporters say the legislation is critical for ensuring the government and private industry can work together to thwart attacks on the nation’s computer systems. “This cyberbill is a ‘Team America’ approach that will significantly improve efforts to fight cybercriminals and better protect consumer data and intellectual property,” Tim Pawlenty, the CEO of the Financial Services Roundtable, one of the many business groups lobbying for the legislation, said in a statement. Sen. Dianne Feinstein, the top Democrat on the Senate Intelligence Committee, called the bill “an important first step to fight back against dangerous cyberattacks.”

But civil-liberties groups warn the latest version of the measure has been stripped of some of the most significant privacy protections, transforming it into a surveillance bill.

“Instead of passing reforms that would have stopped the Anthem or [Office of Personnel Management] hack, Congress has chosen to advance legislation that places the privacy of Americans in further peril,” Neema Singh Guliani, a legislative counsel for the American Civil Liberties Union, said in a statement. “It would wrongly allow companies to share larger amounts of consumer information with government agencies, potentially including the NSA. This information could be used for criminal prosecutions unrelated to cybersecurity.”

She urged companies not to participate in the voluntary information-sharing program if the bill becomes law.

Rep. Adam Schiff, the top Democrat on the House Intelligence Committee, argued that the legislation has strong privacy protections. It would establish the Homeland Security Department, a civilian agency, as the main portal for receiving private sector cybersecurity information and would direct companies to strip out personal information unrelated to a cyber threat.

“Ultimately, there is no greater guarantor of Americans’ privacy than America’s cybersecurity,” Schiff wrote in a letter to other lawmakers urging them to back the bill. “The Cybersecurity Act of 2015 will help make our networks safer and our privacy secure.”

Although the bill would bar the NSA from directly receiving the data from the private sector, it would instruct the Homeland Security Department to share the information it receives with other “relevant federal entities,” which privacy advocates note could include the NSA or FBI. Lawmakers removed previous language that would have required that the government only use the data for “cybersecurity purposes," which has privacy advocates worried that the data could find its way into criminal prosecutions. And they argue that the legislation doesn't impose a strong enough requirement on companies to remove personal information from the data they give to the government.

“This ‘cybersecurity’ bill was a bad bill when it passed the Senate and it is an even-worse bill today. Americans deserve policies that protect both their security and their liberty,” Sen. Ron Wyden, an Oregon Democrat and outspoken privacy supporter, said in a statement. “This bill fails on both counts.”

The legislation could receive votes in the House and Senate as early as Friday.

Both chambers have already approved varying versions of the cybersecurity bill earlier this year. The White House had threatened to veto similar bills in 2012 and 2013, saying they lacked adequate privacy safeguards. But President Obama is expected to sign the legislation this time as part of the omnibus spending package if it reaches his desk.

"We are pleased that the Omnibus includes cybersecurity information sharing legislation," a senior administration official said in an emailed statement. "The President has long called on Congress to pass cybersecurity information sharing legislation that will help the private sector and government share more cyber threat information by providing for targeted liability protections while carefully safeguarding privacy, confidentiality, and civil liberties."

—This article has been updated with a comment from the administration.