Senate Majority Leader Mitch McConnell announced on Tuesday his intent to package controversial cybersecurity legislation into an ongoing debate over a defense policy bill.
McConnell, alluding to the recent hacks of federal employee data at the Office of Personnel Management and a breach that took down the Army’s website, said he would seek to tack on a proposal that would increase the sharing of so-called “cyber-threat” data between the private sector and government to the National Defense Authorization Act.
“Given the cyberattacks that occurred earlier in the week, it is the intention of Chairman [Richard] Burr of the Intelligence Committee to offer cybersecurity to this bill, a bill that came out of Intelligence 14-1,” McConnell said during a press briefing.
A McConnell aide confirmed the cybersecurity legislation would be in the form of an amendment but that there was no schedule yet for when it would be debated.
The measure McConnell and Burr will put forward is the Cybersecurity Information Sharing Act, which easily passed the Senate Intelligence Committee in March. Democratic Sen. Ron Wyden cast the lone dissenting vote at the time, calling it a “surveillance bill by another name.” Both he and Sen. Patrick Leahy, the top Democrat on the Judiciary Committee, have said they still have concerns about the privacy implications of the bill.
Similar versions of information-sharing legislation have been proposed in recent years but failed to gain enough traction due to fears that they could bolster government surveillance—a concern that only grew among civil-liberties groups in the wake of Edward Snowden’s disclosures two years ago.
Two companion bills similar to CISA easily passed the House last month.
President Obama earlier this week chastised Congress for not moving more quickly to adopt legislation to shore up the nation’s cyber defenses. Responding to a question about the OPM hack at a press conference in Germany, Obama warned that intrusions will continue to get worse as “both state and non-state actors are sending everything they’ve got at trying to breach these systems.”
In January, the administration rolled out what it called a cybersecurity framework that it said would improve cyber preparedness and help ward off massive breaches like those that have felled companies like Target and JPMorgan in recent years. The framework came just months after Sony Pictures endured a debilitating hack of its network that officials publicly blamed on North Korea.
A cornerstone of the Obama administration’s proposal is to increase the sharing of some digital data between the private sector and the government by offering expanded legal-liability protection to companies that voluntarily participate. But some cybersecurity experts are not convinced that more information sharing would be very effective in preventing or limiting high-profile hacks, and worry that such a regime could actually further threaten customers’ privacy by allowing government agencies—including the National Security Agency—more ways to grab data.
Though the White House has largely been supportive of information-sharing proposals in Congress since the Sony hack, it has indicated that it may have some lingering privacy concerns about the bills put forth in both chambers.
But more consequentially, the administration has threatened to veto the National Defense Authorization Act for reasons unrelated to cybersecurity.