Cybersecurity

Freedom Caucus Unable to Strip Intrusive Cybersecurity Bill from Omnibus

More government snooping of Americans; less liability for big business.

|

Can you shop at Amazon through the "dark web"?
Dave Bredeson | Dreamstime.com

It appears as though the Cybersecurity Information Sharing Act (CISA), a.k.a. the Cybersecurity Act of 2015, is going to survive negotiations to pass the omnibus, at least for now.

To refresh memories from yesterday, CISA encourages businesses to share customer data with federal agencies in the event of cyberattacks in order to assist with or improve cybersecurity. In exchange, businesses who participate are granted immunity from lawsuits from customers for breaches. That's a plum deal for the businesses, but privacy and tech activists warned that it's a loss for customers and that it probably is unlikely to actually improve cybersecurity. Even further, though the law as promoted as a way to fight against cyberattacks and terrorism, the wording also permits using the data gathered by the government to investigate and prosecute other crimes that have nothing to do with either of these categories.

This legislation has been shoved into the 2,000-page omnibus "must pass" spending bill, much to the concern of privacy advocates on both the left and the right. The conservative House Freedom Caucus, not happy with many parts of the omnibus, proposed a bunch of amendments. They wanted to add the House bill that toughened vetting of refugees from Syrian and Iraq. They also wanted to stop funding for some Obama administration mining regulations and add some other riders related to abortion written by the Pro-Life Caucus. And they wanted to strip out the Cybersecurity Act of 2015.

But they failed. Yesterday evening the Rules Committee rejected all of the amendments from the Freedom Caucus. From The Hill:

The Rules panel's decision to leave the bipartisan omnibus largely unchanged clears the way for the bill to pass the House on Friday. The lower chamber is expected to pass a major tax package on Thursday that had been negotiated alongside the spending bill. 

Both bills are expected to clear the Senate and be signed into law by President Obama. 

In all likelihood, most if not all of the 40 members of the Freedom Caucus will vote against the legislation. "No" votes won't just be coming from libertarian Republicans like Justin Amash (R-Mich.), though. Rep. Jared Polis (D-Colo.), who also opposes the cybersecurity bill, posted on Facebook yesterday 10 reasons why he was voting against the omnibus. Not only did he point to the Cybersecurity Act as a reason, but also the pork embedded in the bill ($14 million for a catfish inspection program that hasn't inspected any catfish), and legislative meddling in Washington, D.C.'s marijuana regulations (which Jacob Sullum blogged about this morning).

NEXT: Yale Students Totally Cool With Repealing the First Amendment

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Our government runs on bureaucratic inertia. The will of the people means nothing, and it takes tremendous effort to dislodge anything once it gets to the stage of making it into unrelated legislation. After Bush and Obama, there is virtually no sense of checks and balances — and since the two were clearly too incompetent to rule a hot dog stand (much less a country), the power vacuum seems to have been filled with great eagerness by our security and domestic bureaucracies.

    1. I will contend that, being on the other side of the regulatory apparatus, running a hot dog stand is the more difficult job.

      1. Writing the rules is easy if you don’t have to worry about following them?

  2. More government snooping of Americans; less liability for big business.

    Everybody wins!

    1. Everybody who matters) wins!

  3. That’s a plum deal for the businesses, but privacy and tech activists warned that it’s a loss for customers and that it probably is unlikely to actually improve cybersecurity.

    “Probably is unlikely”? It seems certain to make cybersecurity worse. If companies give my data away, they no longer have to worry about safeguarding it. That’s not an incentive for cybersecurity, but for its opposite.

    1. It’s even worse than that. My company has a rather large security team. These guys are privacy fanatics, and spend their entire working day digging into other developers’ shit- scanning their software, identifying exploits and forcing changes in the architecture of the systems to harden them against attack. This goes far beyond the typical SOX/PCI/SAS type controls that ensure people are changing their passwords regularly. They are disruptive and EXPENSIVE for the company.

      And our security program exists largely because our company knows how expensive a compromise of our systems could be. We know that customers might sue us for negligence, or that a compromise will lead users to abandon us.

      With this law, companies will have less incentive to fund such programs. It will start with companies like Intuit and the like who essentially have captured their market and know that people really don’t have much choice but to use their systems. Many companies will continue funding (to a lesser extent) to protect their brand. However, over time the population’s perspective will change. As incidents pile up, people will see this more and more a responsibility of the government, not individual companies, to address. At that point, these programs will become mere “check the box” exercises and every compromise will be the Fedgov’s job to deal with.

      By removing accountability, this bill removes all incentive for companies to secure their systems.

      1. As incidents pile up, people will see this more and more a responsibility of the government, not individual companies, to address.

        This X 1000. You see this dynamic in almost every area where government sticks it’s nose in.

        1. If minimum compliance with regulation shields a company from lawsuits, then there is no incentive to do anything beyond what is mandated.

  4. If you like your privacy, you can keep your privacy.

  5. This whole internet thing is vastly overrated. I think I’ll just give it up.

  6. This is my surprised face.

  7. As long as companies do the bare minimum required by regulators, then they are immune from lawsuits.

    What could possibly go wrong?

  8. Omnibus is latin for “we all get fucked”

    1. I thought it meant “bend over and grab your ankles.”

      1. That’s the King James translation. And you left out “everybody”.

    2. Omnibukkake (n.) – A spending bill that leaves not only the taxpayer completely humiliated, but leaves a large amount of sticky residue on him/her that is impossible to clean off.

  9. The federal government can’t effectively sift through the information it receives now from a gazillion sources in the private sector; most of the information received is completely useless because “suspicious activity” is essentially anything that cannot be proven by a private company’s compliance officer to be definitely not-suspicious (yes, that’s proving a negative). That’s because the private sector is incredibly poor at detecting crimes; most don’t have personnel with law enforcement experience on staff (to the extent that would actually help).

    So let’s add EVEN MORE useless information on “suspicious activities” for the government to sift through to the pile.

  10. The Freedom Caucus just got a huge ‘Fuck You’ from the GOP establishment after they were kind enough to knuckle under and elect Paul Ryan as Speaker of the House. Sure hope they remember this the next time the rank and file GOP shits come looking for votes for some ‘vital’ piece of god-awful legislation.

  11. “…CISA encourages businesses to share customer data with federal agencies in the event of cyberattacks in order to assist with or improve cybersecurity.”

    I could have sworn there was a process by which the government can get information from people related to a crime. Something, something, WARRANT!

  12. This is what is wrong with Congress and Republicans can not blame Democrats this time.

Please to post comments

Comments are closed.