This Senator Wants Congress To Stop Playing It Fast And Loose On Cybersecurity

Ron Wyden explains why he's troubled by the Senate's rush to pass a cybersecurity bill.
Sen. Ron Wyden of Oregon.
Sen. Ron Wyden of Oregon.

WASHINGTON -- Sen. Ron Wyden (D-Ore.) is worried Congress is moving too fast when it comes to cybersecurity.

The Oregon Democrat, a staunch privacy advocate, also understands why his colleagues are concerned about the increasing threat cyberattacks pose to the U.S. -- a danger brought into stark relief when the U.S. Office of Personnel Management was hacked in June

Officials said the breach, allegedly carried out by Chinese hackers, affected millions of Americans, who likely had their personal information stolen. Those hit worked both inside and outside the government.

It’s that attack, Wyden said, that has left the Senate rushing to pass meaningful cybersecurity legislation before lawmakers leave for August recess without thinking it through.

"This is an attempt to say that we are going to respond to the very serious hack at the OPM -- we are talking about 20 million records," Wyden told The Huffington Post. "But the reality is, this again doesn’t do a whole lot to promote cybersecurity and it puts at risk many Americans."  

Watch HuffPost's interview with Wyden above.

Senate Majority Leader Mitch McConnell (R-Ky.) brought forward the Cybersecurity Information Sharing Act, known as CISA, on Monday night. The legislation enables tech companies like Google, Twitter and Facebook to voluntarily share cyberthreat information, and limits the government's use of shared data to cybersecurity purposes only. 

The first procedural vote on the bill, which was crafted by Sens. Richard Burr (R-N.C.) and Dianne Feinstein (D-Calif.), will take place no earlier than Wednesday. That leaves little time for debate before the upper chamber leaves for its month-long recess.

"There has been misinformation about this bill, so let me be clear: The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats -- NOT personal information -- in order to better defend against attacks," Feinstein, the ranking member on the Senate Intelligence Committee, said in a statement.

But Wyden, who was the lone dissenter during the Intelligence Committee markup of the bill earlier this year, argues the bill's privacy protections don’t go far enough. In an effort to quell concerns among privacy hawks and to garner more votes for final passage, Burr and Feinstein circulated changes to the bill, which have yet to be finalized.

Documents summarizing the revisions, provided to HuffPost, say the government could only use the information shared by companies to prosecute cyber-related crimes, and companies will be limited to sharing only cybersecurity threat information. Another adjustment would prohibit the government from citing cybersecurity concerns to deny Freedom of Information Act requests.

Yet for privacy critics like Wyden, those changes aren’t enough.

"Right now, we are seeing the government is having trouble keeping its own data security," he said. "But now Congress is setting up an arrangement where companies are going to hand over enormous amounts of additional private and personal information. That just doesn't add up." 

The Oregon senator agrees that "there is a serious cybersecurity problem" in the U.S. But he also argues that, without stringent privacy protections, CISA isn’t a cybersecurity bill; "it’s a surveillance bill."

Wyden is particularly worried about about secret passageways -- known as "backdoors" in cyber-speak -- that could enable the government to monitor individual Americans for reasons other than cybersecurity.

Backdoors are weaknesses, or openings that companies build into products, such as computers or phones, to be able to get through encryption software easily and gain access to information about cyber or terrorist threats, if needed.

The problem with backdoors, Wyden said, is that FBI Director James Comey is a bit too eager to have them at his disposal. The senator also said the government can collect Americans' private information when accessing records to target a foreign actor.

"They can use it to investigate individuals for a wide variety of offenses that are unrelated to cybersecurity, but it generally can’t be used to regulate companies that hand it over," Wyden said. "So, in effect, the government is saying, 'We care about corporations' privacy, but we don’t care about the privacy of individuals.' I think we should care about both."

Comey told senators when testifying about encryption technology that the government needed to find the right balance between the need to protect the country and privacy for Americans. "There is no such thing as secure," he said last month. "There is more secure and less secure. The question is what can we do to maximize public safety that results in an acceptable level of security."

While Comey has toned down his push a tad for unilateral access to backdoors, according to Wyden, he still wants "some way to get keys in order to access this kind of private information."

"I have great reservations about this because once the good guys have the keys, as sure as the night follows the day, the bad guys are going have the keys as well," Wyden said. 

The senator hasn’t said if he will try to filibuster the bill, or fight for an amendment that would ban building mandatory backdoors for the government in Americans' electronics. He said he is working with his colleagues to determine the best way to blunt the damage from what he considers a "flawed" bill.

Wyden, joined by four other Senate Democrats on Tuesday, sent a letter to Senate Minority Leader Harry Reid (D-Nev.), urging leadership to ensure adequate time to consider "a reasonable number of amendments."

"If the cybersecurity bill went forward, companies would share an awful lot of personal information about individuals," Wyden said. "That’s why I feel so strongly that when this bill goes forward, or if it goes forward, it must be accompanied by strong privacy protections. And without it, it really shouldn’t be named a cybersecurity bill."