US Cybersecurity Bill rejected over privacy concerns

Legislation would have dictated minimum security standards for critical infrastructure

The US Cybersecurity Bill, originally intended to dictate minimum standards of online security for critical infrastructure in the US, has been voted down in the Senate over criticisms that it gave authorities too much power to spy on users.

While the Bill achieved 52 votes in favour to 46 against, it required 60 under Senate rules to pass.

Opponents said that while the Bill's intent was worthwhile, the powers that it gave to companies to spy on people, share the fruits of their espionage with government agencies and claim legal immunity for their actions, were unacceptable.

The Bill, which was 200 pages long, would have mandated federal government investment in cybersecurity research, created exchanges in which public and private-sector organisations could share intelligence and mandate legal compliance with minimum security standards for operators of national infrastructure, such as power stations.

However, in addition to the surveillance measures, it also gave the green light to counter-measures that such organisations could take against poorly defined cybersecurity threats. Those counter-measures included the blocking and disruption of internet traffic.

As these would be carried out by private-sector organisations – albeit on behalf of, and mandated by, the government – they would not be covered by the fourth amendment to the US constitution, protecting citizens against unlawful search and seizure.

Likewise, the cybersecurity exchanges in which private-sector organisations would swap information with government agencies could mean that companies such as Yahoo and Google, which hold sensitive information about almost everyone in the US, might be obliged to hand it over to government agencies at their request, argued campaigners.

The Bill had been championed by Senators Joe Lieberman and Susan Collins, and was supported by the White House.

"An overwhelming majority of Senate Republicans blocked consideration of the Cybersecurity Act of 2012, the only comprehensive piece of cybersecurity legislation that would have begun to address vulnerabilities in the nation's critical infrastructure systems," said the White House in a statement.

It added: "Senate Republican opposition to this vital national security bill, coupled with the deeply-flawed House information sharing bill that threatens personal privacy while doing nothing to protect the nation's critical infrastructure, is a profound disappointment."

Senator Lieberman was more forthright in his criticism: "We've got a crisis, and it's one that we all acknowledge. It's not just that there's a theoretical or speculative threat of cyber attack against our country – it's real," he said.

The American Civil Liberties Union described the Bill as "significantly improved" on the original proposals. "[It] was recently significantly improved with several new privacy-oriented changes, including a mandate that information shared with the government under the program go to civilian agencies and not the National Security Agency or other military components," it said in a statement.

It added: "The Bill would have required annual reports from the departments of justice, homeland security, defence as well as the Intelligence Community Inspectors General, which would have described what information is received, who gets it, and what is done with it. It also would have given Americans the right to sue the government if it intentionally or wilfully violates the law."

However, other civil liberties groups welcomed the defeat of the Bill, but noted that it was the third such proposed legislation in three years.