The $1.8 trillion, 2,000-plus-page omnibus federal budget that President Barack Obama signed into law on Friday includes provisions that encourage private companies to share cybersecurity risks they face with federal agencies. However, privacy advocates have decried the measure as a backdoor way to monitor and access citizens’ private data. Additionally, the law also calls for federal agencies to take steps to protect data in their IT systems.
The cybersecurity provisions were included in one of the numerous policy riders that were inserted late in the process of crafting the must-pass budget bill. The measure is essentially a version of the Cybersecurity Information Sharing Act (CISA), which, as CNN reported, languished in the Senate in 2014, but was revived after the House passed two versions of the bill in April and the Senate passed its own in October.
Cybersecurity Rules Increase ‘Information-Sharing’
A key feature of the cybersecurity measure offers private entities liability protection from lawsuits if they share information with the federal government on cyberattacks — so-called “threat indicators” — and the defensive measures they are taking to protect against them. However, as The Register notes, earlier version of CISA required companies to anonymize customer information they hand over to the government, but the final legislation does not include the privacy provision.
Additionally, FedScoop reported, the Department of Homeland Security can share the cybersecurity threat indicators with other government agencies, including the FBI and National Security Agency, as long as personally identifiable information is removed. However, the bill lets the president create data portals for this information at other federal agencies outside of the Defense Department, including the NSA, if the DHS portal is flawed.
The CISA provisions sparked protests from civil liberties groups and some lawmakers. "I think they completely bent over, they went a 180 on their previous positions, and it's really disappointing," Robyn Greene, policy counsel at New America's Open Technology Institute, told CNN. "I think after Sony [was hacked by the North Koreans] they got to a point that they were sick of trying and decided they would rather get something done rather than do something right."
Sen. Ron Wyden (D-OR), one of the bill’s fiercest critics, agreed. “This ‘cybersecurity’ bill was a bad bill when it passed the Senate and it is an even worse bill today,” Wyden in a statement. “Americans deserve policies that protect both their security and their liberty. This bill fails on both counts. Cybersecurity experts say CISA will do little to prevent major hacks, and privacy advocates know that this bill lacks real, meaningful privacy protections.”
Taking Steps to Increase Federal IT Security
In addition to the cybersecurity provisions, the law requires federal agencies to take steps to bolster the security of government data in the wake of the hack at the Office of Personnel Management, which compromised the personal information of more than 20 million past and present federal employees.
The law requires that no later than one year from when the law is enacted, each federal agency must “identify sensitive and mission-critical data” stored by the agency, and then “assess access controls” to the data, the need for readily accessible storage of the data, and individuals’ needs to access the data.
Further, the law requires agencies to “encrypt or otherwise render indecipherable to unauthorized users” sensitive or mission-critical data that is stored on or transmitted through agency IT systems. The General Services Administration is charged with “implementing a single sign-on trusted identity platform for individuals accessing each public website of the agency that requires user authentication.”