President Barack Obama signed into law a $1.1 trillion spending bill last Friday, staving off a potential government shutdown — and in the process, quietly inaugurated what some have called a second Patriot Act.
As part of the more-than-2,000-page document, the 14th rider to be exact, the appropriations omnibus includes the Cybersecurity Act of 2015. Buried within that section is the text of the Cybersecurity Information Sharing Act (CISA), a bill that seeks to permit private companies to handover information to federal agencies.
In essence, the law allows companies to directly share information with the Department of Defense (including the National Security Agency) without fear of being sued. This info can be used for cybersecurity purposes, but critics have keyed into the law's allowance for using the data to address or investigate a "specific threat" of death, serious bodily harm, serious economic harm, terrorism, harm to a minor and more.
As Wired noted, an earlier bill only allowed information sharing in the case of "imminent threats," but the new "specific" verbiage disregards any timeliness.
The House Committee on Rules described the information sharing measure as "a voluntary cybersecurity information sharing process that will encourage public and private sector entities to share cyberthreat information, without legal barriers and the threat of unfounded litigation — while protecting private information."
As benign as that description may sound, several legislators released comments decrying the implications of the CISA measures.
"I was unable to vote for the omnibus spending bill today because it included an extraneous provision purported to facilitate cybersecurity information sharing that — in effect — will function as a surveillance tool," California Rep. Zoe Lofgren said in a statement.
Oregon Sen. Ron Wyden was even more critical, saying the "unacceptable surveillance provisions" are a "black mark" on the rest of the appropriations bill. He even implied that the information sharing provisions are worse than in previous incarnations.
"Ultimately, I cannot vote for this badly flawed CISA bill. The latest version of CISA is the worst one yet — it contains substantially fewer oversight and reporting provisions than the Senate version did," he said in a statement. "That means that violations of Americans' privacy will be more likely to go unnoticed."
To Wyden's point, 55 civil society groups, security experts and academics, wrote earlier this year that CISA would "seriously threaten privacy and civil liberties, and could undermine cybersecurity, rather than enhance it."
These complaints may be blowing the scope of the bill out of proportion, according to Randy Sabett, vice chair of the privacy and data protection group at the law firm Cooley.
"I try to maintain a relatively open mind toward the arguments that people raise when they start talking about privacy and civil liberties, but I guess where I have difficulty is with some of these sweeping statements that it's a pure surveillance bill," he said.
Sabett pointed to CISA's voluntary nature — it doesn't compel any company to share data with the government, only prevents them from being sued for it. On the other hand, the law unequivocally requires both federal authorities and companies to scrub personal information from shared data.
Additionally, the law compels the government to issue regular privacy update reports to monitor any abuses, Sabett said.
And there are many who support the information sharing law, including Obama administration officials and industry groups.
"Cybersecurity is a top priority for DHS and the Obama administration, and this bipartisan effort is a significant step forward in strengthening our nation's cybersecurity," Homeland Security Secretary Jeh Johnson said in a statement after the omnibus spending bill was passed. "I look forward to working with Congress on further strengthening DHS' cybersecurity mission."
The U.S. Chamber of Commerce also put its support behind the new law. Recognizing that cybercrime targets both government and businesses, the Chamber's president and CEO, Thomas Donohue, said in a statement that CISA will allow businesses to voluntarily work with authorities "to better prevent, detect and mitigate threats."
"This legislation, long championed by the Chamber, is our best chance yet to help address this economic and national security priority in a meaningful way and help prevent further attacks," Donohue said.
Financial sector groups, such as the Securities Industry and Financial Markets Association and the American Bankers Association, have applauded CISA. Members of the Cyber Threat Alliance — which is made up of four companies: Palo Alto Networks, Fortinet, Symantec and Intel Security Group — were largely positive on the CISA measures in October.
"I have seen companies benefit from information sharing: To be in a situation where that information is like pulling teeth, and then to see the benefits that come out of it is an eye-opening experience," Sabett told CNBC. "Getting something on the books is going to have a lot more positive effects than the negative effects that the critics are pointing to."