US Senate committee advances cybersecurity bill in secret session

The Senate intelligence committee advanced a priority bill for the National Security Agency on Thursday afternoon, approving long-stalled cybersecurity legislation that civil libertarians consider the latest pathway for surveillance abuse.

The vote on the Cybersecurity Information Sharing Act, 14 to 1, occurred in a secret session inside the Hart Senate office building. Democrat Ron Wyden was the dissenter, calling the measure “a surveillance bill by another name”.

Senator Richard Burr, the committee chairman, said the bill would create avenues for private-to-private, private-to-government and government-to-private information sharing.

The bill’s bipartisan advocates consider it a prophylactic measure against catastrophic data theft, particularly in light of recent large-scale hacking of Sony, Target, Home Depot and other companies.

Private companies could share customer data “in a voluntary capacity” with the government, Burr said, “so that we bring the full strength of the federal government to identifying and recommending what anybody else in the United States should adopt”.

“The sharing has to be voluntary, not coercive, and it’s got to be protected,” said Senator Dianne Feinstein, the committee’s vice-chair, adding that the information would pass through the Department of Homeland Security – and “transferred in real time to other departments where it’s applicable”.

Feinstein said the bill’s provisions would “only be used for counterterrorism purposes and certain immediate crimes”.

Several iterations of the cybersecurity bill have failed in recent years, including a post-Edward Snowden effort that the committee, then under Democratic leadership, approved last year. President Obama, renewing the push earlier this year, has called for a bill to enhance information sharing between businesses particularly banks and others in the financial sector and the federal government surrounding indications of malicious network intrusions.

Both the administration and Congress intend the legislation to join a panoply of recent moves to bolster cybersecurity, including February’s announced creation of a consolidated center within the intelligence agencies for analysis of internet-borne threats.

“This bill will not eliminate [breaches] happening,” Burr said. “This bill will hopefully minimize the impact of a penetration because of the real-time response.”

Feinstein said that companies, “reluctant to share with the government because they are subject to suit” would be protected from lawsuits “for cybersecurity purposes” under the bill.

But the bill faces strong opposition inside and outside Congress. Beyond expanding government’s reach into private data outside warrant requirements, it mandates real-time access to that data for intelligence agencies and the military.

‘Significantly undermine privacy and civil liberties’

Privacy advocates consider the bill to provide a new avenue for the NSA to access consumer and financial data, once laundered through the Department of Homeland Security (DHS), the initial public repository for the desired private-sector information. Campaigners consider the emphasis placed by the bill’s backers on DHS’s role to be a misleading way of downplaying NSA access to win congressional support.

A coalition of nearly 50 technologists, privacy groups and campaigners wrote to the committee earlier this month urging rejection of a bill that would “significantly undermine privacy and civil liberties” and potentially permit corporations to “hack back” at perceived network intrusions.

The bill “does not effectively require private entities to strip out information that identifies a specific person prior to sharing cyber-threat indicators with the government, a fundamental and important privacy protection,” the 2 March letter reads. Its changes to federal law “would permit companies to retaliate against a perceived threat in a manner that may cause significant harm, and undermine cybersecurity”, particularly given the misattributions of responsibility frequently seen in hacking cases.

Companies can only take “defensive measures” and not “countermeasures against another company”, Feinstein said.

Burr said that language in the bill would require companies to “remove all personal information before that data is transferred to the federal government”, and that the Department of Homeland Security would scrub any data not cleaned by companies. “We’ve tried to minimize in that any personal, identifying data that could be captured,” he said.

But Burr admitted the bill would still allow companies to share directly with the NSA, and could potentially receive liability protections if information is shared “not electronically”. “Our preference is the electronic transfer through the DHS portal,” he said.

While the NSA has labored to convince the public to move on from international condemnation of its digital dragnets – though Congress has passed no legislation to curtail them – acrimony within the tech sector at the surveillance giant persists.

At a Washington forum last month, Yahoo’s chief security officer confronted the NSA’s chief, Admiral Mike Rogers, over a recent push by US security agencies to undermine encryption for government benefit, a revival of the so-called “Crypto Wars” of the 1990s.

Alex Stamos of Yahoo challenged Rogers to explain why his company should not do the same thing on behalf of US adversaries or competitors to facilitate their spying on the United States. Rogers, in what was seen as a heated exchange, resisted the comparison.

Against that backdrop of suspicion, it is uncertain if the new cybersecurity bill can garner the votes in the broader Senate and House that its predecessors could not. The digital-rights group Access on Thursday was already seeking to mobilize its membership to call legislators in objection to the bill.

Wyden declined to comment to reporters, saying as he left the meeting: “You guys know I like talking about this stuff but I can’t say anything.”

He later articulated his dissent in a statement: “The most effective way to protect cybersecurity is by ensuring network owners take responsibility for security. Strong cybersecurity legislation should make clear that government agencies cannot order US hardware and software companies to build weaker products, as senior FBI officials have proposed.”