As if the Cybersecurity Information Sharing Act couldn’t get any more controversial, a report on the bill released over the weekend revealed that it excludes a major category of cybersecurity data from the nation’s landmark open-records law.
CISA, sponsored by Senate Intelligence Committee Chairman Richard Burr (R-N.C.), contains a provision that exempts data about cyber threats shared with the government by private companies from the Freedom of Information Act.
“Cyber threat indicators and defensive measures provided to the Federal Government under this Act will also be deemed voluntary shared information and exempt from disclosure” under FOIA, the report reads.
If CISA, a.k.a. S.754, becomes law with this provision intact, journalists would find it more difficult to use a FOIA request—one of the most powerful transparency tools in their arsenal—to obtain records about cybersecurity vulnerabilities that companies shared with the government.
This angered Sens. Martin Heinrich (D-N.M.) and Mazie Hirono (D-Hawaii), who wrote in an addendum to the report that they were “unconvinced” that the exemption—the first FOIA carve-out since 1967—was necessary.
“Government transparency is critical in order for citizens to hold their elected officials and bureaucrats accountable,” the Democratic senators wrote. “The bill’s inclusion of a new FOIA exemption is overbroad and unnecessary as the types of information shared with the government through this bill would already be exempt from unnecessary public release under current FOIA exemptions.”
A spokeswoman for Burr told Politico that the new exemption was supposed to help create “an environment where individuals and businesses feel safe in sharing information with the government as well as with each other.”
Sen. Ron Wyden (D-Ore.), the only member of the Senate Intelligence Committee to vote in March against sending the bill to the full Senate, blasted what he called a “broad new exception to public records law.”
The FOIA carve-out, Wyden said through a spokesman, “is just one of many reasons to reject this misguided bill.”
“CISA is a surveillance bill in sheep’s clothing,” Wyden continued. “It will do little to protect cybersecurity while creating major new avenues for scooping up Americans’ private information.”
CISA, like other cybersecurity bills working their way through the Senate, has come under sustained fire from civil-liberties groups. The Electronic Frontier Foundation said CISA’s “vague definition and broad legal immunity for new spying powers will facilitate a potentially enormous amount of unrelated personal information to government agencies like the NSA.”
“To make matters worse,” the EFF’s Mark Jaycox wrote, “companies are granted broad legal immunity leaving them free to share the information without being concerned about what it might be used for.”
The new FOIA exemption would make it more difficult for journalists to track the sharing of such threat data—which could include personally identifying information—by private businesses.
The House is considering two cybersecurity bills of its own, with the bill that passes heading to a conference committee where House and Senate negotiators will combine it with whatever cyber bill passes the Senate. (In addition to to CISA, the Senate is also considering the Cyber Threat Sharing Act.)
Rep. Justin Amash (R-Mich.), one of the House’s leading civil-liberties champions, introduced several privacy-focused amendments to one of the House bills, the National Cybersecurity Protection Advancement Act, but the House Rules Committee did not approve them for a vote.
White House spokesman Mark Stroh declined to comment on CISA’s FOIA exemption, saying the administration did not comment on draft legislation. The Obama administration issued statements on Tuesday night expressing concerns about the two House bills as they were readied for floor votes.