Tuesday, January 12, 2016

House Members Want to Repeal Cybersecurity Law

By Mark S. Nelson, J.D.

The ink on last year’s omnibus appropriations bill is still drying, but a group of lawmakers worried over civil liberties has already taken a swipe at the major cybersecurity law attached to the funding measure. Representative Justin Amash (R-Mich), along with co-sponsors Reps. John Conyers (D-Mich), Zoe Lofgren (D-Cal), Thomas Massie (R-Ky), Ted Poe (R-Tex), and Jared Polis (D-Colo), introduced a bill (H.R. 4350) that would repeal the cybersecurity law.

The Cybersecurity Sharing Act of 2015, Division N of the omnibus appropriations bill (Public Law No. 114-113), has several titles, including the Cybersecurity Information Sharing Act of 2015, much of which made it into the spending bill after the Senate overcame many obstacles and passed its version of the law, which was then conferenced with two similar bills that had already passed the House. The CISA title provides for a voluntary program through which the government and private sector companies can share cybersecurity threat information. Businesses that take part in the program can assert liability protections if they follow the law’s requirements.

But the Senate cyber bill had encountered opposition from members who argued it tilted too far in the direction of surveillance without tough enough privacy protections, an argument some have made about Division N of the omnibus. Representative Lofgren’s reaction to the omnibus exemplifies members’ concerns about civil liberties. The repeal bill’s sponsor, Rep. Amash, has previously cited his concerns about civil liberties in the cybersecurity arena.

Yet opposition to Division N of the omnibus does not necessarily extend to lawmakers’ other cyber-themed efforts. For example, Rep. Poe (H.R. 3654), one of those urging repeal of Division N of the omnibus, recently persuaded the House to pass a bill that would require the president to develop a policy to combat terrorists’ use of social media. A related Senate bill (S. 2372) would have companies with electronic communication or remote computing services report terrorists’ use of those sites to the government.