'Cybersecurity' Bill CISA Poised to Pass Into Law Today

The Cybersecurity Information Sharing Act is back, and, according to privacy advocates, it’s worse than ever, even as it seems virtually certain to become law as part of the omnibus Cybersecurity Act of 2015, which passed the House this morning by a wide margin.

Since the Cybersecurity Act is — other than CISA — more or less a routine funding measure, few lawmakers are expected to vote against the whole bill to prevent the divisive piece from heading to the president’s desk, and President Obama has publicly committed to signing the bill.

Privacy advocates are sounding the alarm over the provisions they see as worse in this version of CISA and the apparently backhanded tactics being used to avoid a real debate on the bill’s impact on privacy versus its value for cybersecurity. Nonetheless, the passage of some version of CISA appears imminent, as votes in the House and Senate could come as early as today.

CISA provides incentives to major tech companies to share user information with federal authorities. It also grants these companies immunity from prosecution under existing privacy laws, an issue that arose when the Edward Snowden leaks made it appear possible that companies were going beyond their legal authority to comply with government data requests.

These two provisions would open new channels for the sharing of information between government and private companies. But the House version of CISA does seem to open the channels even wider than the Senate bill. By defining the class of information that companies should deliver to the feds as anything related to “specific” rather than “imminent” threats, the House bill seems to provide a more general requirement that could result in even greater data collection.

The bill’s critics argue that the current drive for cybersecurity legislation came out of major breaches of both government and corporate data by foreign entities, yet the bill does little to address the issues that undergird those hacks. Instead it expands the more general powers of federal agencies to collect private data. As evidence, critics cite provisions in the House bill, which calls for establishing “portals” directly to law enforcement agencies rather than the the Department of Homeland Security.

Some are also criticizing President Obama for vacillating on cybersecurity, having initially promised to veto a CISA-predecessor called CISPA but now displaying no qualms about signing similar legislation. A seni­or ad­min­is­tra­tion of­fi­cial wrote in an emailed state­ment to the National Journal:

“We are pleased that the Om­ni­bus in­cludes cy­ber­se­cur­ity in­form­a­tion shar­ing le­gis­la­tion. The Pres­id­ent has long called on Con­gress to pass cy­ber­se­cur­ity in­form­a­tion shar­ing le­gis­la­tion that will help the private sec­tor and gov­ern­ment share more cy­ber threat in­form­a­tion by provid­ing for tar­geted li­ab­il­ity pro­tec­tions while care­fully safe­guard­ing pri­vacy, con­fid­en­ti­al­ity, and civil liber­ties.”

The president’s initial announcement of his intent to veto CISPA had privacy advocates celebrating their defeat of the current push for a cybersecurity bill. Now, with Obama’s support and a path to majority support in both houses of Congress, CISA appears poised to become a reality.