The Senate intelligence committee voted Tuesday to adopt a major cybersecurity bill that critics fear will give the National Security Agency even wider access to American data than it already has.
Observers said the bill, approved by a 12 to 3 vote in a meeting closed to the public, would face a difficult time passing the full Senate, considering both the shortened legislative calendar in an election year and the controversy surrounding surveillance.
But the bill is a priority of current and former NSA directors, who warn that private companies’ vulnerability to digital sabotage and economic data exfiltration will get worse without it.
Pushed by Dianne Feinstein and Saxby Chambliss, the California Democrat and Georgia Republican who lead the committee, the bill would remove legal obstacles that block firms from sharing information "in real time" about cyber-attacks and prevention or mitigation measures with one another and with the US government.
Worrying civil libertarians is that the NSA and its twin military command, US Cyber Command, would receive access to vast amounts of data, and privacy guidelines for the handling of that data are yet to be developed.
A draft of the bill released in mid-June would permit government agencies to share, retain and use the information for "a cybersecurity purpose" – defined as "the purpose of protecting an information system or information that is stored on, processed by or transiting an information system from a cybersecurity threat or security vulnerability" – raising the prospect of the NSA stockpiling a catalogue of weaknesses in digital security, as a recent White House data-assurance policy permits.
It would also prevent participating companies from being sued for sharing data with each other and the government, even though many companies offer contract terms of service prohibiting the sharing of client or customer information without explicit consent.
“To strengthen our networks, the government and private sector need to share information about attacks they are facing and how best to defend against them. This bill provides for that sharing through a purely voluntary process and with significant measures to protect private information," Feinstein said in a statement after the vote.
Intrusions into private data networks are on the rise, with enormous economic consequences. A perceived need for some sort of government response drove the Justice Department to indict five Chinese military officers in May.
Champions of a similar bill that passed the House of Representatives last year despite a White House veto threat urged the full Senate to follow the intelligence panel's lead.
"These attacks cost our country billions of dollars through the loss of jobs and intellectual property. We are confident that the House and the Senate will quickly come together to address this urgent threat and craft a final bill that secures our networks and protects privacy and civil liberties," said Mike Rogers of Michigan and Dutch Ruppersberger of Maryland, the Republican and Democratic leaders of the House intelligence committee.
But digital rights advocates warn that the measure will give the government, including the NSA, access to more information than just that relating to cyberthreats, potentially creating a new avenue for broad governmental access to US data even as Congress and the Obama administration contemplate restricting the NSA's domestic collection.
The bill contains "catch-all provisions that would allow for the inclusion of a lot more than malicious code. It could include the content of communications. That's one of the biggest concerns," said Gabriel Rottman, an attorney with the American Civil Liberties Union.
Provisions in the bill are intended to protect American privacy on the front end by having participating companies strike "indicators … known to be personal information of or identifying a United States person" before the government sees it, but the draft version leaves specific guidelines for privacy protection up to the attorney general.
"Nobody knows whether the flow from the private sector will be a trickle or a river or an ocean. The bill contemplates an ocean, and that's what worries us," said Greg Nojeim of the Center for Democracy and Technology.
Two of the senators who voted against the bill, Democrats Ron Wyden of Oregon and Mark Udall of Colorado, said that they were prepared to work to improve the bill, which they said "lacks adequate protections for the privacy rights of law-abiding Americans, and that it will not materially improve cybersecurity".
They warned: "We have seen how the federal government has exploited loopholes to collect Americans' private information in the name of security."
A cybersecurity bill failed in the Senate in 2012, and observers like Nojeim doubted that a post-Edward Snowden environment was more conducive to passage, a point echoed reluctantly by leading NSA officials. Nevertheless, both NSA director vice-admiral Michael Rogers and his predecessor, Keith Alexander, have urged Congress to pass legislation along the lines of the Senate intelligence committee bill.