Congress on Friday passed legislation to fight cyber threats, pushing the measure through by tucking it into a sprawling government funding bill, after earlier failed attempts.
The measure was inserted into the massive $1.1 trillion spending package that funds the government through next September, tightens visa requirements, and ends a longstanding oil export ban, among other moves.
The so-called “omnibus” funding bill, which easily passed in the Senate, also in the process gave congressional approval to the landmark Cybersecurity Act.
The measure was approved with blessings from the White House, over objections of privacy activists.
Officials with the House Homeland Security Committee said in a statement that the bill would protect America’s private sector and federal networks “which are under continuous threat from foreign hackers and cyber terrorists.”
Separate versions of the bill were approved earlier this year by the Senate and House of Representatives.
Passage of the measure “ensures our federal cyber networks are able to defend against nation-states like China, Russia, Iran, and North Korea and terrorist threats,” said Congressman Michael McCaul, chairman of the homeland security panel.
“This streamlines the federal government’s ability to more effectively identify and thwart cyber-attacks,” he said.
President Barack Obama would get a victory with the approval after several years of seeking legislation to boost cybersecurity. Previous efforts were bogged down by opposition from activists who feared it would result in excessive government intrusion, and conservatives who argue it would create a new bureaucracy.
Obama welcomed the measure, a senior US official said. “The president has long called on Congress to pass cybersecurity information-sharing legislation that will help the private sector and government share more cyber threat information by providing for targeted liability protections while carefully safeguarding privacy, confidentiality, and civil liberties,” the official said.
House intelligence committee chairman Devin Nunes said the measure was “vital for protecting America’s digital networks,” and added that it was part of a broader effort “giving our intelligence community the tools it needs to identify, disrupt, and defeat threats to the homeland and our infrastructure.”
A key element in the legislation would shield private companies from liability if they report or share information about cyber threats.
The measure would establish the Department of Homeland Security as a “portal” for cyber threat information sharing. It would also authorize “defensive measures” that could disable or counter a cybersecurity threat.
The action comes amid growing concerns over threats to so-called critical infrastructure, which includes power grids, water systems, key industrial controls and especially the US financial system, which has been hit by numerous cyber attacks in recent months.
New NSA tool?
The compromise comes just months after Congress voted to rein in the powers of the National Security Agency, following revelations of vast surveillance programs in documents leaked by former intelligence contractor Edward Snowden.
Critics said the latest version of the bill is the result of secret negotiations which stripped out nearly all privacy protections, and that the definition of cyber threat is so vague that it would encourage companies to report many activities to law enforcement.
Fifty-one groups active on privacy and digital rights signed a letter Thursday opposing the bill, saying it “seriously threatens privacy, civil liberties, and government accountability, and would undermine cybersecurity, rather than enhance it.”
Robyn Greene of the New America Foundation’s Open Technology Institute said the political maneuvering underscored how controversial the legislation is.
“Sponsors (of the bill) and congressional leadership are choosing to force its passage without debate or a vote by attaching it to a must-pass spending bill,” she said.
The American Civil Liberties Union said the measure “would allow companies to share large amounts of private consumer information with government agencies, including possibly the FBI and NSA.” This could be used for criminal prosecutions unrelated to cybersecurity, “including the targeting of whistleblowers under the Espionage Act,” an ACLU statement said.
A large number of Silicon Valley companies such as Apple, Yelp and Dropbox have publicly opposed earlier versions of the legislation, but some tech firms involved in cybersecurity such as IBM have supported the effort.
Senator Ron Wyden, who opposed the bill passed in the Senate, said the latest version was worse from a privacy perspective.
“This ‘cybersecurity’ bill was a bad bill when it passed the Senate and it is an even worse bill today,” he said in a statement.
“Americans deserve policies that protect both their security and their liberty. This bill fails on both counts.”