Legislation to encourage the U.S. federal government and industry to share cyberthreat information cleared the House Intelligence Committee by an 18-2 vote after being amended to strengthen privacy and civil liberties' protections.
At a markup session on April 10, the House Permanent Select Committee on Intelligence adopted three amendments to the Cyber Intelligence and Sharing Protection Act that sponsors assert would strengthen privacy protections and civil liberties by:
- Requiring the government to establish minimization procedures designed to limit the receipt, retention and use of personally identifiable information not necessary to protect systems or networks from cyberthreats while ensuring the critical cyberthreat information necessary to protect systems can flow quickly.
- Adding responsibilities for the Privacy and Civil Liberties Board and individual agency privacy officers to provide additional oversight of the government's use of information received from the private sector under the bill.
- Limiting the private sector's use of any cybersecurity information received only to a cybersecurity use purpose.
Opponents: Privacy Safeguards Insufficient
The amendments are seen as a concession to privacy advocates, although two Democratic members of the committee contend the protections didn't go far enough, and provided the only two votes against the bill. "I strongly agree with the need to enact effective cybersecurity legislation, and commend the bipartisan effort of the House Intelligence Committee, but this bill doesn't sufficiently protect individual privacy rights," said Rep. Jan Schakowsky, D-Ill., who along with Rep. Adam Schiff, D-Calif., voted against the bill.
Still, other Democratic committee members said the amended version should affirmatively address the objections raised last year when President Obama threatened to veto the bill known as CISPA over privacy and civil liberties concerns. "I would not support a bill that did not take our citizens' privacy seriously," said Rep. Jim Langevin, the Rhode Island Democrat and committee member who co-founded the Congressional Cybersecurity Caucus.
The White House hasn't taken a position yet on the 2013 version of CISPA, which goes to the full House for consideration, possibly as early as next week [see Is Compromise in Offing for CISPA?]. The 2012 version of the bill passed the House, but never came up for a vote in the Senate.
Backed by advocacy groups such as the American Civil Liberties Union and the Electronic Frontier Foundation, Schakowsky said the amended bill failed to provide an adequate balance between cyber-protection and privacy and civil liberties safeguards.
Amendments Rejected to Fortify Privacy Rights, Keep Data from Military
The committee rejected three amendments Schakowsky offered that the Illinois Democrat contends would have strengthened privacy protections, ensured that consumers can hold companies accountable for misuse of their private information, required that companies report cyberthreat information directly to civilian agencies and maintained the long standing tradition that the military doesn't operate on U.S. soil against American citizens.
Schakowsky said she'll bring up her amendments when the House considers the measure.
But Langevin, in voting for the bill in committee, said the amended bill provides sufficient privacy and civil liberties protections, although he suggested the legislation could be strengthened.
"We cannot address these challenges without effective information sharing, and after much collaboration with civil liberties advocates, we have included strong precautions that guard against government access to and use of people's personal information," Langevin said. "I will continue to work with the committee, the White House and stakeholders to strengthen the measure when it comes to the House floor."
Anti-Hack-Back Rider Affirmed
Langevin offered an amendment that the committee accepted that specifies the measure does not provide any new authority to "hack back," addressing concerns that the measure could be misinterpreted to authorize companies to hack into other companies' networks to take back information that was stolen from them.
Privacy and civil libertarian advocates contend CISPA allows private Internet communications and information about U.S. citizens to go to the NSA, the military intelligence agency that intercepts electronic communications. The bill's sponsors maintain that the information being shared isn't content, but malicious code that can plant spyware in corporate computers to pilfer trade secrets or cause other types of havoc.
Obama, in an executive order issued in February, called for the establishment of a cyberthreat information sharing process [see Obama Issues Cybersecurity Executive Order]. But legislation is needed to provide liability protection for companies acting in good faith to protect their own networks or share threat information.
CISPA also would allow the federal government to provide classified cyberthreat information to the private sector to help American companies better protect themselves from advanced cyberthreats, as well as empower American businesses to share cyberthreat information with others in the private sector and enable the private sector to share information with the government on a purely voluntary basis, and, according to the bill's sponsors, all while providing strong protections for privacy and civil liberties, a contention that some lawmakers contest.