The U.S. Senate could vote whether or not to pass a sweeping new cybersecurity bill later this week and advocacy groups are fighting hard to ensure that the bill contains privacy protections for Web users.
Once all the amendments are considered, the Senate could move to vote on the bill’s passage immediately, as was the case when the House quickly rushed through and passed its own controversial cybersecurity bill, CISPA, in late April.
The Cybersecurity Act of 2012, originally introduced in February by Senators Joseph Lieberman (I-CT) and Susan Collins (R-ME) in February, is substantially different in several key ways from CISPA, namely that it currently contains privacy protections for Web user information. Yet like CISPA, The Cybersecurity Act of 2012 would also encourage and set up a system for private companies and the government to share information on what they deem to be national cybersecurity threats, information that could in some cases contain the personal data of ordinary Web users.
“This is really about civilian domestic information,” said Michelle Richardson, legislative council for the American Civil Liberties Union (ACLU), in a phone interview with TPM.
The ACLU one of several dozen groups working to codify privacy protections in whatever form of the bill makes it to the Senate floor for a vote.
As such, the ACLU is against one of the many prominent new amendments, the SECURE IT Act, introduced by Sen. John McCain (R-AZ), which is actually a totally separate version of the bill that McCain tried to introduce earlier but failed to gain traction. McCain says he opposes Lieberman’s version of the bill, because McCain thinks that the program of voluntary information sharing that it would allow would actually be, in effect, a mandatory information sharing program.
McCain’s bill would allow private companies to share information, including Web user data, with military and intelligence agencies, without alerting users or obtaining their informed consent. By contrast, the newest version of the Lieberman-Collins Cybersecurity Act of 2012 would force companies to go through the Department of Homeland Security or other civilian agencies first. It would also ensure that companies and government agencies obscure personal identifiers and delete information after it is no longer needed.
The ACLU is supportive of these parts of the Cybersecurity Act of 2012, but opposes any amendments that would weaken privacy protections, including McCain’s.
“Information from everyday Americans really needs to go through a civilian agency, not a military or intelligence one,” Richardson told TPM.
In agreement with the ACLU are some 24 other advocacy groups, including the Electronic Frontier Foundation and the Center For Democracy and Technology.
The Obama Administration and specifically the head of U.S. Cyber Command, General Keith Alexander, are also supportive of the Cybersecurity Act of 2012, though Alexander noted in a letter to Senate leaders on Tuesday that: “Information sharing alone, however, is insufficient to address the vulnerabilities to the nation’s core critical infrastructure.”
Cybersecurity experts seem to agree, with many telling TPM earlier that the government needs to actually require critical infrastructure operators — that is, utilities companies, water treatment plants, railroad companies, even internet service providers (ISPs) — to have minimum cybersecurity measures in place. Currently there is no such national regulation or mandate requiring this.
Still, it remains to be seen whether the Senate will even get to a vote on the Cybersecurity Act of 2012, given the increasing number of seemingly unrelated amendments being introduced at the eleventh hour. Even if the Senate passes the bill, it would still have to conference with the House and introduce a version that both Houses would need to pass, then the President would need to sign it, in order for it become law.