The final text of a major cybersecurity bill passed both chambers of Congress on Friday as part of a sweeping omnibus spending package.
The bill, which provides incentives for companies to share data on hacking threats with the government without fear of facing customer lawsuits, now heads to the president’s desk.
{mosads}The White House has indicated it will sign the $1.15 trillion spending bill, which will also make the Cybersecurity Act of 2015 law.
The bill is the biggest piece of cyber legislation Congress has passed since a 2013 holiday shopping season data breach at Target started a tidal wave of hacks that have since hit retailers like Home Depot, banks like JPMorgan Stanley, health insurers like Anthem and government agencies like the Office of Personnel Management (OPM).
Collectively, these breaches have exposed hundreds of millions of Americans’ personal data.
“It is the most significant effort by Congress to address the cyber threat to date,” said House Intelligence Committee ranking member Adam Schiff (D-Calif.), a co-sponsor of one of the House bills.
The passage is a huge win for Intelligence and Homeland Security leaders in both the House and Senate, some of whom have been at work for years on some iteration of the measure.
“We wanted to get it done for five years and there’s been a lot of work,” House Intelligence Committee Chairman Devin Nunes (R-Calif.), another co-sponsor, told The Hill after the vote. “We’re happy to get it across the finish line.”
These proponents believe the bill will help combat hackers and reduce the fallout from these catastrophic data breaches that have exposed hundreds of millions of Americans’ personal information in the last few years.
“I feel very good about it,” she added.
But the bill’s approval also deals a blow to privacy advocates and digital rights groups, only months after they scored a major victory with the USA Freedom Act, a bill that overhauled some of the National Security Agency’s more controversial surveillance programs.
Privacy advocates have warned that the cyber bill will simply restore surveillance powers to the NSA, by allowing companies to share large swaths of personal data with the government.
Other critics have also expressed concerns that the bill would do nothing to prevent the kind of hacks — like the OPM breach — that were used to justify its passage.
“You can negotiate dollar amounts, but you can’t negotiate the Constitution,” said Rep. Zoe Lofgren (D-Calif.), who earlier this week sent letters to members protesting both the content of the final text and its inclusion in the omnibus.
“I think it’s a surveillance bill posing as a data security bill, and I think that’s very wrong,” she told The Hill after the vote.
Over the last year, the privacy community has lobbied hard against the bill. But ultimately, even a ferocious 11th-hour campaign in recent weeks couldn’t stop Congress’s rare momentum.
The omnibus passed the House by a 316-113 vote. Two hours later, the Senate approved it, 65-33.
Numerous lawmakers objected to the cyber bill’s inclusion in the one-year spending bill. Several members even told The Hill the cyber text was their primary reason for opposing the omnibus.
But their disapproval wasn’t enough to derail the entire omnibus.
“There’s plenty wrong with this omnibus, but there’s nothing more egregious than the cyber language they secretly slipped in,” Rep. Justin Amash (R-Mich.) told The Hill on Wednesday.
As the omnibus was working its way through both chambers on Friday, a coalition of outside digital rights groups and civil liberties advocates delivered a petition with 110,000 signatures urging the White House to veto the bill.
“Please make clear that you will veto any cyber sharing legislation that fails to protect our fundamental rights,” the petition said. “Mass digital surveillance must end.”
But the White House has signaled it was pleased the cyber bill got attached to the omnibus.
The Obama administration has come around on the bill since expressing some initial reservations, citing improvements in the text’s privacy provisions. In recent months, White House officials had even chastised Congress not moving faster to approve the legislation.
“Congress just played really dirty, and we’re disappointed the White House is going along with it,” said Tiffiniy Cheng, co-founder of Fight for the Future, a digital rights group that has been directing a campaign opposing the cyber bill.
The cyber bill navigated a bumpy road to passage.
Since a similar cyber bill failed last Congress, lawmakers had worked to appease the privacy advocates that were driving opposition to the efforts.
The Cybersecurity Act includes a series of concessions as a result. For instance, the bill encourages companies to share information only through the Department of Homeland Security (DHS), seen as the agency best suited to scrub out personal details before any cyber threat data is shared across the government.
“If this bill had been the conclusion of the negotiations last session, the privacy community would have leapt to embrace it because it essentially met all of the asks,” Schiff said. “But the goalposts have moved and that’s just the nature of the legislative process.”
Throughout 2015, the measure was also repeatedly roped into the contentious surveillance debate, held up by procedural squabbles and derailed by other priorities such as the Iran nuclear deal, Planned Parenthood funding and the Trans-Pacific Partnership, a widespread trade deal among 12 Pacific Rim countries.
While the House passed its two complementary measures in April, the Senate was only able to turn to its companion legislation in October, after striking a deal that allowed opponents to offer a series of privacy-focused amendments. Despite considerable support, that slate of edits failed just before a final vote in favor of the Senate bill.
The bills passed both chambers with a strong majority, but faced a growing drumbeat of criticism from the tech sector.
Shortly before the Senate passed its bill, major tech trade groups said they were unable to support the measure, splitting from many prominent industry groups in the finance and retail sectors. The U.S. Chamber of Commerce also lobbied heavily in favor of the legislation.
Major Silicon Valley players such as Apple, Twitter and Yelp all came out against the measure around the same time. Numerous top tech firms and social media have indicated they will simply not participate in the information-sharing program set up under the bill.
But the Cybersecurity Act of 2015 has finally cleared all the roadblocks that stood in its way.
Feinstein insisted passing the final measure is the most important move Congress has made to combat hackers.
“On cyber? Oh yeah.”
But, she added, “It’s just the beginning.”