The new Cybersecurity Act of 2015, included in the Omnibus Appropriations Act approved last week, expands the powers of network operators to do surveillance for cybersecurity.
Pop Herald reported that House Intelligence Committee Chairman Devin Nunes and senior Democrat Adam Schiff, who were some of the primary supporters of the bill, said the Cybersecurity Act would require companies to take away all of their "extraneous personal information" before they provide cyber threat data to the government.
According to NPR, the new $1.1 trillion funding bill signed by President Barack Obama Friday will "strengthen cybersecurity programs." Appropriations Committee Vice Chairwoman Barbara Mikulski said, "I think it's a great bill; it's a result of bipartisan effort. Let's vote for it, and may the Force be with us."
The statutory surveillance laws consist of the Pen Register statute, the Wiretap Act and the Stored Communications Act. Generally, it prohibits Internet surveillance, but it has certain exceptions. Telecommunications providers can conduct surveillance and share data when it is "a necessary incident . . . to the protection of the rights or property of the provider of that service."
The Washington Post explained that the new Cybersecurity Act, the law will stay effect for ten more years up to 2025. Under the § 111(a). Section 104 entitled "Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats," it allows network operators monitor, operate for defensive measures, and share information with others. Monitoring ad operating defensive measures can be outsourced. A network operator can let third party firm to monitor its network and even operate defensive measures for it as long as it as "written consent."
These powers are given to network providers "notwithstanding any other provision of law," which means it can undermine any other law that gets in its way. It also has the § 108(k), which is considered an express pre-emption section that supersedes countersurvailing state law.
Ultimately, the law gives network operators unlimited legal privilege to conduct monitoring, operate defensive measures, and share vital information.