Cybersecurity Act Near Certain To Remain in Omnibus; White House Response Less Clear

The conferenced Cybersecurity Act text included in the omnibus strikes more of a balance between elements of the Senate-passed Cybersecurity Information Sharing Act (S-754) and two House-passed information sharing bills, but multiple digital rights and privacy advocacy groups continued to urge Obama to threaten to veto the omnibus over the conference bill language. Those groups had raised concerns in recent days that more palatable Department of Homeland Security-centric privacy provisions included in the two House bills -- the Protecting Cyber Networks Act (HR-1560) and the National Cybersecurity Protection Advancement Act (HR-1731) -- were being sidelined.

The Cybersecurity Act’s text most closely aligns with provisions in S-754, including S-754’s requirements for removing personally identifiable information (PII) when such PII isn’t directly related to a cyberthreat. The Cybersecurity Act includes liability protections that are stronger than those suggested in S-754 or HR-1560. The conference bill also continues substantial text from the version of HR-1560 the House submitted to the Senate, which included the full text of the DHS-centric HR-1731.

The conference text would enshrine DHS’ role as the main civilian information sharing portal via the National Cybersecurity and Communications Integration Center, but would also allow the president to designate sharing through other civilian agencies when necessary. But the conference bill prohibits the Department of Defense and the NSA from becoming an alternate civilian sharing portal. The Cybersecurity Act also contains text from the Federal Cybersecurity Enhancement Act (S-1869), which would increase oversight of DHS’ Einstein cybersecurity program and expand the program’s scope to cover all federal agencies. Elements of the Federal Cybersecurity Workforce Assessment Act (S-2007) also were included in the conference language. Cybersecurity Act provisions on general cybersecurity information sharing would sunset in 2025, while others would sunset seven years after the conference bill is enacted.

Congress, Groups React

Senate Intelligence Committee Vice Chairwoman Dianne Feinstein, D-Calif., called the conference Cybersecurity Act a “strong bill” that also “maintains Senate language on use of a [DHS] portal to share information.” The conference language “restricts the government’s use of cyber information to cybersecurity purposes and specific instances of major harm to people or the economy,” Feinstein said in a statement. “The agreement incorporates [S-754’s] robust privacy protections.” House Intelligence ranking member Adam Schiff, D-Calif., urged House members to support the conference language’s inclusion in the omnibus. “Ultimately, there is no greater guarantor of Americans’ privacy than America’s cybersecurity,” he said in a letter.

Several members of both the House and Senate who had previously criticized information sharing legislation protested the Cybersecurity Act’s inclusion in the omnibus. The conference language is “even worse” than S-754, said Sen. Ron Wyden, D-Ore., in a statement. “Americans deserve policies that protect both their security and their liberty,” he said. “This bill fails on both counts.” Reps. Justin Amash, R-Mich., and Zoe Lofgren, D-Calif., were among four House members who sent a letter to the rest of the House Tuesday to protest secret negotiations on the conference language. “Neither negotiations -- nor even bill text -- have been made public,” they said. “We cannot cast such a consequential vote with no input.”

Digital rights and privacy groups criticized the Cybersecurity Act for not providing sufficient privacy and civil liberties protections, but representatives of those groups we spoke with were divided about how to address those concerns. “I think the die is cast” on passage of the omnibus with the Cybersecurity Act text intact, said Center for Democracy & Technology Freedom, Security and Technology Project Director Greg Nojeim. “Every member will hesitate to oppose must-pass legislation like the omnibus” simply because it includes the conference text. It’s more likely that the privacy community will pivot following passage of the omnibus to focus on federal agencies’ writing of information sharing guidelines called for in the Cybersecurity Act, Nojeim said.

“This is being rushed through via a non-standard procedure,” said TechFreedom President Berin Szoka. TechFreedom was among four free market-oriented groups that jointly urged House Speaker Paul Ryan, R-Wis., to stop the effort to attach the Cybersecurity Act to the omnibus. “There are some really hard questions that still haven’t been answered, like what duty should companies have to remove [PII]?” Szoka said. “I think both sides are largely talking past each other right now.” The American Civil Liberties Union is still pushing for members of Congress who were critical of privacy protections in HR-1560 and S-754 to actively object to the Cybersecurity Act’s insertion into the omnibus, said Neema Singh Guliani, ACLU's Washington legislative council. “This bill is significantly weaker than [HR-1731] on privacy protections and in some ways provides even less protection than [S-754],” she said.

White House Response?

Several industry lobbyists said they believe the Cybersecurity Act is certain to remain in the omnibus, but were less unanimous about how the White House will respond. A list of White House priorities for the conference information sharing bill included a strong preference for the “narrowly targeted” liability protections included in S-754 and language from S-1560 and S-754 establishing DHS as the main civilian information sharing portal. The White House also supported language from HR-1560 requiring companies to take “reasonable efforts” to remove PII unrelated to a cyber threat and but didn’t want to fully prohibit Defense and NSA from being information sharing portals. The White House didn’t comment.

“I think [Congress] really resolved all of the most difficult and contentious issues that came up during negotiations and that’s reflected in the text we saw in the omnibus,” said Monument Policy Group lobbyist Andrew Howell. “There was a lot of back and forth between [Congress’] Homeland Security and Intelligence committees to get a product that they could all support. The White House was also involved throughout the conference process, so to an extent they own this bill too.” The White House’s involvement included review of conference text drafts, so “if they had an objection, I think we would have heard a veto threat by now,” an industry lobbyist said.

The White House “made clear where they believed the line in the sand was” on privacy protections that needed to be included in a conference information sharing bill, so “only they can say whether they think [the Cybersecurity Act] went up to that line or over the line,” said Norma Krayem, Holland & Knight senior cybersecurity policy adviser. “It’s unclear whether this went over that line at this point. [DHS] remains the main civilian portal and there are still many privacy and oversight requirements, but those provisions have changed from what they were” in HR-1560, HR-1731 and S-754, she said. Congressional leaders were also strategically smart to attach the Cybersecurity Act to the omnibus since it’s a must-pass bill, Krayem said. “It would be hard for the White House to justify vetoing the omnibus over this, but on the other hand they’ve said they’re committed to privacy and civil liberties just as much as security.”