Omnibus Funding Bill is a Privacy and Cybersecurity Failure

Press Release
Dec. 16, 2015

WASHINGTON, D.C.Today, congressional leaders released a sweeping appropriations bill that would fund the federal government through fiscal year 2016. The proposed legislation includes a new version of the Cybersecurity Information Sharing Act (CISA, S. 754), which the Intelligence Committees and House Leadership renamed the Cybersecurity Act of 2015 (Division N of the omnibus), after negotiating text that combined three bills into one behind closed doors. The new version of the bill is a privacy and cybersecurity failure.

New America’s Open Technology Institute (OTI) had serious concerns about all three bills, but as displayed in our comparison chart, the House Homeland Security Committee’s bill was far better for operational effectiveness and privacy on almost all fronts. That bill also garnered 48 more votes than the House Intelligence Committee’s version of information sharing legislation.

Despite the fact that the Homeland Security bill had significantly broader support than the Intelligence Committees’ bills, the Intelligence Committees proceeded to meet behind closed doors to negotiate new language, and reportedly cut Homeland Security out of the drafting process almost entirely, and were not given actual text of the full bill until negotiations had nearly ended. Once in the room, the Intelligence Committees clearly railroaded them in the discussions, and meshed together their two inferior bills.

The end result is a bill that, among other things, would:

  • Increase government access to Americans’ personal data with dangerously weak privacy protections;

  • Enhance the NSA’s access to Americans’ private information and undermine civilian control of domestic cybersecurity by allowing companies to share directly with the NSA;

  • Create a loophole where the president could give companies liability protection for sharing information directly with the DNI or FBI;

  • Undermine Americans’ rights to privacy and due process by authorizing law enforcement to use information in investigations unrelated to cybersecurity;

  • Provide limited transparency and reporting on the privacy impact and efficacy of these sweeping new authorizations, including information on how law enforcement uses information it receives; and

  • Provide complete liability protections for all actions taken pursuant to the bill, even where those actions are grossly negligent and harm innocent third parties.

The following quote can be attributed to Robyn Greene, Policy Counsel at New America’s Open Technology Institute:

“This cyber bill represents a shameful betrayal of what should have been an open and robust negotiation process to combine three significantly different bills into one superior product. Instead, the Intelligence Committees cut out the Homeland Security Committee, and engaged in a race to the bottom on privacy and operational effectiveness. The new, renamed version of CISA sets up a near free-for-all for the NSA and FBI to ramp up surveillance and investigation of Americans, and could seriously undermine data security and cybersecurity in general. If the excess of personal information that may be shared under this bill is targeted by malicious and nation state hackers - and there’s no reason to think it won’t be - this may well turn out to be the Intelligence Community’s next major boondoggle.

On several fronts, this bill is significantly worse than the two House-passed bills. Representatives should demand that it be stripped from the omnibus so that they can debate it and vote on record, to reject this deeply flawed bill. The President should also threaten to veto this bill, as he did for the similarly flawed CISPA, and send an unequivocal and resounding message that the Intelligence Committees should not and will not set the terms for what should be a civilian cyber information sharing program.”

An updated chart, comparing the new version of the Cybersecurity Act of 2015 (formerly CISA) with the three bills that have already passed their respective chambers is available here.

In addition to the inclusion of the Cybersecurity Act of 2015, the omnibus bill removed several threatened policy riders that would have harmed the implementation of the Open Internet Order.

The following statement can be attributed to Joshua Stager, Policy Counsel at the Open Technology Institute:

"We strongly support the decision to remove harmful policy riders that would have blocked implementation of the FCC's Open Internet Order, but we are deeply concerned about the bill's dangerous and sweeping cybersecurity provisions.”