FINANCE

Massive year-end spending bill includes cybersecurity act

The massive year-end spending measure includes a provision that will encourage companies to share cyber threat information with the government.

The measure, which represents a culmination of several years of effort to pass a cyber bill, brings together three different versions that passed the House and Senate earlier this year with hefty bipartisan support. It was released early Wednesday morning.

The Cybersecurity Act of 2015 largely hews to the Senate version of the bill, which passed despite concerns about privacy and transparency from some senators and technology companies, such as Apple and Yelp.

But there are some changes.

The bill allows the president to designate an agency other than the civilian Homeland Security Department to act as a portal for sharing cyber threats with the government only if DHS cannot and it is necessary. However, the Defense Department, including its National Security Agency, is specifically excluded for becoming an alternate portal.

Rep. Adam Schiff, D-Calif., the ranking member of the House Intelligence Committee, urged lawmakers to support the bill and said it was a major improvement over what was put forward last session, which he said lacked privacy protections.

"The bill is very protective of privacy while also doing a lot to help companies protect themselves from cyberattack," Schiff said. "We have to measure this against the daily invasion of our privacy by these hackers. Those who believe that perfect should be the enemy of the good, have to justify how they're willing to accept rampant hacking into our privacy and do nothing about it."

Companies are also assured they won't face liability for not acting on information received. Such liability protections are necessary to incentivize data sharing with the government, and have been a major reason why prior bills have failed to pass. Supporters of the cyber sharing bill say it's necessary to raise the cost to an attacker and ensure the same threats aren't repeatedly deployed.

The bill also calls on businesses and the government to remove, or scrub, personal identifiable information from threat data before sharing that information.

The first scrub is done by the company when it shares with the Homeland Security Department, and the second when DHS passes it on to other agencies. However, if the cyber threat pertains to a specific threat of the loss of life, economic damage, serious injury or the effort to prosecute or prevent the exploitation of a minor, the personal identifiable information may be passed on.

Sen. Ron Wyden, D-Ore., called the bill "even worse" today, lacking meaningful privacy protections to ensure personal information isn't passed on and doing little to prevent major hacks.

"Americans deserve policies that protect both their security and their liberty. This bill fails on both counts," Wyden said.

The ACLU called the cyber bill "a surveillance bill by another name" in a statement.

"Instead of passing reforms that would have stopped the Anthem or OPM (Office of Personnel Management) hack, Congress has chosen to advance legislation that places the privacy of Americans in further peril," it said, adding that the information could be used for criminal prosecutions unrelated to cybersecurity.

The White House has supported prior language in the cybersecurity bill.

The House is scheduled to vote Friday on the bill.