WASHINGTON – A bill seeking to strengthen U.S. defenses against cyberattacks passed the House 288-127 today amid criticism from the White House and civil liberties groups for its lack of privacy protections.
The House Intelligence Committee passed the Cyber Intelligence and Protection Act (CISPA) on an 18-2 vote last week. The committee adopted six amendments during the bill’s markup session held behind closed doors.
CISPA is designed to make it easier for private companies to share the personal information of their customers with the government in the interest of protecting the security of computer networks from cyberattacks.
The bill passed in the House last May, but was rejected by the Senate in August after its supporters could not clear a procedural vote over objections from GOP leaders. House Intelligence Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.), the authors of the bill, reintroduced CISPA in February.
“I am very proud that so many of my colleagues were able to look past the distortions and fear mongering about this bill, and see it for what it really is – a very narrow and focused authority to share cybersecurity threat information to keep America safe,” Rogers said today. “I look forward to working with my Senate colleagues to get cyber threat information sharing legislation passed into law this year.”
“Passing this legislation is not just a victory on the House floor. This is victory for America,” said Ruppersberger. “Our nation is one step closer to making a real difference protecting our country from a catastrophic cyber attack.”
The new version of the bill includes additional oversight measures and removes a provision that would have allowed the government to use data they receive from companies for national security purposes. The measure also prohibits companies from retaliating with cyberattacks of their own.
“CISPA will go to conference with cybersecurity legislation that is eventually passed by the Senate, and during that process I will continue to fight to protect personal privacy and alleviate civil liberty concerns,” said Rep. Adam Smith (D-Wash.), ranking member on the House Armed Services Committee. “However, given the many intelligence briefs I have received as Member of Congress detailing previous cyber attacks and our vulnerabilities to future attacks, doing nothing to improve our defense against cyber attacks right now is unacceptable.”
In the few months between the last time the bill made it to the House floor and its reintroduction, officials have reported an increase in cyberattacks originating from Iran and China. At a forum on cyber issues on Tuesday, U.S. officials tried to persuade China to stop its cyberattacks by emphasizing their effects on the Chinese economy.
“I ask my Chinese friends to question whether this kind of activity serves China’s real interests as it seeks to attract high-end investment, aims to develop international markets for its innovative products, and wants its companies welcomed and respected as they increasingly invest around the world,” said U.S. Undersecretary of State for Economic Growth Robert Hormats.
On February 12, the same day that CISPA was reintroduced, President Obama signed an executive order that gives federal agencies greater authorities to share “cyber threat” information with the public sector.
“America must face the rapidly growing threat from cyberattacks,” President Obama said during his 2013 State of the Union address. “Congress must act…by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”
The Obama administration threatened last year to veto CISPA because of its vague language and privacy issues. The new round of amendments are meant to address some of the White House’s concerns and stop the bill from being shelved a second time.
Rogers and Ruppersberger were confident that the legislation would gain the necessary momentum to clear the House.
“What we came up with, we think, is the right approach. It is the one bill out of everything you’ve seen on both sides of this great institution of the United States Congress that protects a free and open Internet and allows people to share cyber threat information to protect their clients, their business, their [personally identifiable information],” Rogers told reporters following the markup. “It’s been a work in progress.”
Reps. Adam Schiff (D-Calif.) and Jan Schakowsky (D-Ill.) both voted against the bill during the markup after the committee did not agree to their amendments, or language similar to them, offered by the two legislators. Both voted against the bill today.
Schiff and Schakowsky proposed an amendment that would have required companies to take reasonable efforts to remove personally identifiable information from threat data before sharing it with the government.
The committee also rejected Schakowsky’s three proposed changes. One of her amendments would have exempted certain agencies, such as the Department of Defense and the National Security Agency, from directly receiving cyber threat data from private companies. Another amendment would have allowed consumers the ability to hold companies liable for misusing their private information.
“Through hard work and compromise, we have produced a balanced bill that provides strong protections for privacy and civil liberties, while enabling effective cyber-threat sharing. The decisiveness of the vote shows the tremendous bipartisan support for this bill,” Rogers said in a statement after the markup.
CISPA has generated criticism from privacy groups and civil rights unions over the bill’s individual data and privacy protection stipulations.
An online petition created in February to stop CISPA reached 109,000 signatures last month – over the threshold of 100,000 required to receive a response from the White House.
Even with the recent modifications, many of CISPA’s critics remain unconvinced, opposing any bill that would give the government too much control over the Internet.
“The changes to the bill don’t address the major privacy problems we have been raising about CISPA for almost a year and a half,” wrote Michelle Richardson, American Civil Liberties Union’s legislative counsel, in a statement last Thursday.
The Electronic Frontier Foundation (EFF), which has lobbied vigorously against the bill, said that the amendments do not fix the main problems with the bill. EFF said that the bill still lets companies share data freely, and the broad legal immunity leaves users with almost no “privacy protections or recourse if a company improperly shares their data.”
The White issued a statement last week indicating that it is not likely to support the House bill in its current form.
“We believe the adopted committee amendments reflect a good-faith effort to incorporate some of the Administration’s important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities,” said Caitlin Hayden, a National Council spokeswoman.
An amendment that would ensure that the Homeland Security Department is the first recipient of cyber threat data from companies circulated among its sponsors on Tuesday, potentially satisfying one of the top concerns of privacy advocates.