Senate to advance anti-hacking bill amid privacy objections
Privacy advocates have objected to a bill scheduled for a Senate committee vote on Thursday that would shield companies from lawsuits when they share information about cyber-attacks with each other and federal agencies.
Industry groups, such as the Financial Services Roundtable, largely support the bill that’s under consideration by the Senate intelligence committee and has the backing of the panel’s ranking Democrat and Republican chairman.
Companies have resisted providing data to the government about hacking attacks out of concern they could be sued if they accidentally included private information about their customers, or accused of violating antitrust laws. Information sharing is needed to help prevent attacks that are growing more sophisticated and dangerous, according to the Obama administration.
“This current bill is critically important both for our agencies that keep the country safe, and the institutions that hold millions of Americans’ personal information,” Senator Richard Burr, a North Carolina Republican and chairman of the panel, said in a statement.
The bill “represents compromises on both sides following feedback from the executive branch, private sector and privacy advocates,” Feinstein said in a statement.
The new language would limit how the government can use information obtained from companies and restrict countermeasures companies can take, according to a Democratic Senate aide who spoke on the condition of anonymity because the changes have not been announced.
“The devil’s in the details,” Robyn Greene, policy counsel for the New America Foundation’s Open Technology Institute, a nonpartisan research group in Washington, said in a phone interview. “Until we see what the protections looks like, we’re not going to be able to make a determination as to whether they’re at all effective.”
Senator Ron Johnson, a Wisconsin Republican and chairman of the Senate Homeland Security and Governmental Affairs Committee, said he isn’t sure the Burr-Feinstein bill will have the support it needs from the White House and privacy advocates.
“It might be too ambitious,” Johnson said in a speech Thursday at the U.S. Chamber of Commerce in Washington. “I think behind the scenes the White House is not supportive and that’s the snag.”
Johnson said he supports the bill but he’s prepared to move a separate measure through his committee that is more to the liking of the Obama administration, if necessary.
President Barack Obama, company executives and cybersecurity specialists have seized on recent high-profile hacking attacks to bolster their case for legislation. Anthem Inc. announced in February an assault that exposed personal data on about 80 million customers, and Sony Pictures Entertainment was the victim last year of an attack that crippled thousands of computers.
Although industry groups such as the Financial Services Roundtable support the bill, unresolved differences could impede Senate Majority Leader Mitch McConnell’s desire to quickly bring it to a vote in the full chamber.
While there is broad agreement companies should get legal protections for sharing data about online threats, Congress has failed for four years to pass legislation in part due to concerns over privacy and government spying.
The failure to pass cybersecurity legislation “has created havoc in the marketplace,” Senator Barbara Mikulski, a Maryland Democrat who serves on the intelligence panel, said in an interview.
“We’re trying to strike a balance between making sure we meet our national security needs but yet also recognizing the privacy rights of Americans citizens,” said Mikulski, who is also the most senior Democrat on the Senate Appropriations Committee. “How we find that right balance is where there’s a lot of give and take.”
Companies will be required to remove personal information before data is voluntarily shared with the government and agencies will be restricted to only use the data for cybersecurity purposes or to investigate serious crimes, according Burr and Feinstein.
A coalition of 26 privacy groups and 22 cybersecurity experts criticized a draft version of the bill in a March 2 letter to Burr and Feinstein, saying it wouldn’t protect consumer privacy, would allow companies to use dangerous countermeasures to fight back against hackers and would allow law enforcement over broad authority to use shared data.
The draft also would allow the National Security Agency automatic access to data being shared, putting privacy rights at risk, according to the letter.
Under the draft, the Federal Bureau of Investigation or National Security Agency would be allowed access to “a ton of information that they couldn’t get without a warrant,” such as the Internet Protocol addresses of Americans and the content of e-mails, Greene said.
“It’s not a bill that would enhance cybersecurity nearly as much as it would enhance the government’s surveillance capabilities,” said Greene, who’s group signed the letter.
Revelations about extensive U.S. spying exposed by former NSA contractor Edward Snowden showed the need to restrict the government’s ability to obtain information, not expand it, Greene said.
“Companies should be required to make a reasonable effort to identify and remove personally identifiable information unless it is necessary to identify or respond to a cyberthreat,” she said.
“If we saw a bill come out of committee like the discussion draft, we would be happy,” Jordan Quinn, the Financial Services Roundtable’s manager of government affairs for policy, said in a phone interview. “We want this language to be as crystal clear as you can possibly get but also have flexibility.”
JPMorgan Chase & Co., Lockheed Martin Corp. and Microsoft Corp. are among 32 technology, banking and retail companies urging lawmakers to provide them with legal protection for sharing hacking threats.
“Cyber-attacks have accelerated in frequency and sophistication and present a significant risk to our national and economic security,” according to a March 2 letter the companies sent to congressional leaders. “There is an urgent need for action to help bolster our country’s cybersecurity defenses.”
The letter didn’t advocate for any particular bill. Quinn said the Senate intelligence bill isn’t overly broad. The use of countermeasures, for example, would permit companies to defend their networks in legal ways, she said.
“In a post-Snowden environment, I think everyone is more sensitive to these conversations, whether its countermeasures or how the government is handling data,” she said. “You’ve got to walk a fine line between being flexible and being able to change with technology. If you’re too stringent in these definitions it won’t be applicable in a few years.”
The House intelligence committee is drafting its own bill, which would have to be reconciled with any version the Senate passes.
Mar 13, 2015 | By Chris Strohm