The Obama administration expressed concern that the GOP-controlled Congress had quietly included the final version of the Cybersecurity Information Sharing Act in the approved bill, according to a source close to the administration. Further deliberation over the massive omnibus spending bill, which includes approval for the funding of all 12 federal government agencies, wasn't a viable option, as current federal funding was scheduled to expire at 12:01 a.m. on December 23, according to the Wall Street Journal.
The legislation will allow private companies to share user data with the Department of Homeland Security, which would then be obligated to share the data across "relevant government agencies," presumably including the FBI and the NSA.
"The president has long called on Congress to pass cybersecurity information-sharing legislation that will help the private sector and government share more cyber threat information by providing for targeted liability protections while carefully safeguarding privacy, confidentiality and civil liberties," the official said in an interview with US News.
Although the bill had bi-partisan support, not everybody in the Democratic Party is happy about the controversial Cybersecurity Act. Congresswoman Zoe Lofgren of California stated that she voted against the spending bill because it included "a surveillance tool" that doesn't provide data protection.
"This so-called ‘cybersecurity legislation' was inserted into a must-pass omnibus bill at the 11th hour, without debate," she said, adding that, "The protective measures that such a bill should have — including those I believe the Constitution requires — were removed."
The Center for Democracy and Technology, among 50 digital rights groups that criticized the cybersecurity bill in an address to Congress prior to the vote, echoed Lofgren's statements.
Researchers Greg Nojeim and Jadzia Butler from the Center claim that the bill doesn't have sufficient tools to prevent the collection of consumer data outside of a cybersecurity investigation.
"The bill allows the president to later designate other ‘appropriate' civilian federal entities as information sharing portals, leaving room for scenarios in which companies would share — with full liability protection — information derived from Internet users' communications directly with federal entities such as the FBI and other agencies primarily concerned with law enforcement surveillance, not cybersecurity," they observed.
The private sector has begun to provide personal user data to the government upon request. This move would indicate that the new law will not support efforts to prevent consumer data theft, according to Ben Johnson, a former researcher with the NSA. Companies must remain vigilant about online security in order to protect proprietary networks.
President Barack Obama signs the budget bill that will fund the government until next September. pic.twitter.com/hjAFqprOgl— RanMan (@ranman09) December 18, 2015
"Poor [computer] hygiene is rampant," says Johnson, now chief security strategist for the Bit9+Carbon Black cybersecurity company. "Doors, at least virtual ones, are left wide open. Threat intelligence sharing is not the problem."