Why the Omnibus Shouldn’t Include Cybersecurity Legislation

ThinkstockPhotos-459878353

Later this week, the House is slated to vote on a $1.1 trillion “omnibus” spending bill to fund the federal government through next fall. Naturally, the legislation will likely contain numerous riders and add-ons that address issues unrelated to appropriations, ranging from oil exports to compensation for 9/11 victims. But one potential addition to the lengthy omnibus bill is extremely troubling: according to several reports, House leaders are considering adding cybersecurity information sharing to the package. Rushing a cybersecurity bill through Congress before the holidays is premature, especially given how little we know about the details of a potential cyber addition to the omnibus.

Congress has been busy with cybersecurity legislation this year. In October, the Senate passed the Cybersecurity Information Sharing Act, known as CISA. Earlier, in April, two cybersecurity bills passed the House—the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement Act (NCPAA). Each of these bills aims to tackle legal barriers that limit how companies can share what they learn about cyber attacks with other businesses or government agencies. But these three bills differ in certain key respects, so the two houses of Congress will need to reconcile these differences before sending any legislation to President Obama’s desk.

Unfortunately, House leadership is reportedly considering including CISA, the Senate’s cybersecurity bill, in the “must-pass” omnibus spending package to keep the federal government’s doors open. Although the Competitive Enterprise Institute supports legislation to ease cybersecurity information sharing—at least in principle—CISA is the wrong approach, as I explained a couple months ago on these pages. Among many problems, CISA lacks a key safeguard to prevent government abuse: a private right of action that lets people sue the government if they’re injured when an agency misuses personal information it receives from a company for cybersecurity reasons. Unlike CISA, both House bills include a private right of action, and for good reason. Without it, Americans would have to rely on government agencies to effectively and reliably police themselves—in spite of all the evidence that such “internal” safeguards simply do not work.

CEI isn’t alone in calling for the House to resist efforts to insert cybersecurity legislation in the omnibus package. Today, several free market groups—R Street, the Niskanen Center, FreedomWorks, and TechFreedom—sent a letter to Speaker of the House Paul Ryan urging him not to add CISA or similar legislation to the omnibus bill.

Although cybersecurity is a hot issue on Capitol Hill these days, rushing through complex legislation about which key questions remain unresolved would be a huge mistake, potentially endangering Americans’ privacy interests and individual liberties. Instead, Congress should carefully consider objections that CEI and other groups have raised regarding CISA and related bills, and move forward with cybersecurity legislation if—and only if—these concerns can be resolved.