By a vote of 288 to 127, the House of Representatives in Washington D.C. passed a controversial cybersecurity (H.R. 624) bill on April 18 that would allow for real-time, voluntary and bi-directional information sharing between private companies and the government in the event of a cyber attack.
The Cyber Intelligence Sharing and Protection Act (known as “CISPA”) was introduced last year, when it got bogged down in the Senate after passing the House. The bill was reintroduced this year, and is intended to break down legal barriers to sharing cybersecurity threat information between the intelligence community within private industry and the U.S. government with procedures established by the Director of National Intelligence. The CISPA authors are Reps. Mike Rogers (R-Michigan) and Dutch Ruppersberger (D-Maryland), the chairman and ranking member of the House Intelligence Committee.
In the wake of growing cyber attacks on U.S. businesses by foreign entities trying to obtain intellectual property and trade secrets, the intent of CISPA is to promote greater cooperation between companies and the government by making it easier to share information on these events. Critics feel the bill goes too far, relieving legal liabilities for companies who share customers’ personal information while failing to ensure that any private data is removed first.
The bill next moves to the Democratically-controlled Senate, where it is less likely to pass. Further, the White House’s National Security Council has indicated in a statement that it has problems with the bill in its current form, because it does not include enough privacy and civil liberties protections, and targeted liability protections.
Under CISPA, the Federal Government may only use the cyber threat information for cyber security purposes, for the investigation and prosecution of cyber security crimes, to protect an individual from danger of death or serious bodily harm, or for the protection of minors as to child pornography, sexual exploitation, or serious threats to the safety of a minor (including kidnapping and trafficking). Notably, a company is not required to give the federal government the data; it is voluntary. Specifically excluded from data disclosure are the following “sensitive personal documents:” library circulation records, library patron lists, book sales records, book customer lists, firearms sales records, tax return records, educational records and medical records. The department of the federal government may not keep or use the information shared for any other use than those allowed in the bill. Policies and procedures relating to this cyber threat information will be established and reviewed by the Director of National Intelligence, in consultation with the Secretary of Homeland Security and the Attorney General. They are to balance the need to protect systems and networks from cyber threats versus the impact on privacy and civil liberties.
Supporters of CISPA include the Cellular Telecommunications Industry Association, the National Cable & Telecommunications Association, US Telecom Association, TechNet and these companies: McAfee, AT&T, Comcast, IBM, Intel, Oracle, Verizon and Time Warner Cable. Facebook and Microsoft had been CISPA supporters but removed support recently.
Rep. Nancy Pelosi (D-California) and Rep. Adam Schiff (D-California) both opposed the bill in a vocal manner, saying it did not protect the privacy of Americans adequately. Rep. Pelosi felt it did not strike the adequate balance between security and liberty, and gave businesses overly broad liability protections and immunities. Rep. Schiff was only one of two House Intelligence Committee members who moved against the bill last week, when it passed out of the Committee on a vote of 18-2.
If CISPA were to pass the Senate and be signed by the President to become law, what would this mean for consumers? It means that companies like Facebook, Google, Twitter, Instagram and e-mail providers will make promises to consumers in their privacy agreements or terms of service to keep personal data confidential, but should there be a cyber attack, the companies’ designated security personnel would be allowed to breach that promise without liability and share data with other private companies and the U.S. Government for the express purpose of identifying and defending against cyber security threats.