Feeds

CISPA cybersecurity legislation vote due in next 48 hours

All your data are belong to us

Securing Web Applications Made Simple and Scalable

The US House of Representatives has scheduled to vote on the Cyber Intelligence Sharing and Protection Act (CISPA) for Wednesday or Thursday, and the pro and anti camps are marshaling their forces to try and sway the result.

CISPA, or H.R. 624 to give it its proper name, sets up a framework for government agencies to share attack information with private companies to help mitigate attacks. But it also overrides all existing computer privacy legislation by allowing the companies to share personal information with the government - anonymized or not - to help with "cybersecurity purposes," and be immune from prosecution if they do.

It's this latter side of the legislation that has some people's backs up, and a coalition of 34 privacy and online groups have banded together to try and stop the legislation. Supporters (who include Facebook, Microsoft and Intel) point out that alterations have been made to safeguard private information as much as possible, but the coalition isn't impressed.

"Although some amendments were adopted in markup to improve the bill's privacy safeguards, these amendments were woefully inadequate to cure the civil liberties threats posed by this bill," they said in an open letter.

"In particular, we remain gravely concerned that despite the amendments, this bill will allow companies that hold very sensitive and personal information to liberally share it with the government, including with military agencies."

This is the second outing for CISPA. It was originally introduced by representatives Mike Rogers (R-MI) and "Dutch" Ruppersberger (D-MD) last year and was passed by the House of Representatives last April by a vote of 248 to 168. The lack of privacy protections in this bill prompted the White House to sort-of threaten to veto the legislation, but as it turns out there was never a need to.

In August CISPA was scuppered by a Republican filibuster in the Senate, along with the addition of amendments on abortion, gun control, and Senate minority leader Mitch McConnell's (R-Kentucky) attempt to repeal the Affordable Care Act. The bill looked dead and buried but in January its sponsors brought it back from the dead.

Initially CISPA v2.0 was exactly the same bill, but some amendments have since been made by the House Permanent Select Committee on Intelligence, who met in a secret session to discuss the bill and passed the changes on an 18-2 vote.

One amendment requires the Inspector General and the Privacy and Civil Liberties Oversight Board to regularly report on how the government's use of CISPA is impacting privacy, while another requires information to only be gathered for a "cybersecurity purpose" rather than the previous catch-all of "national security."

But privacy groups are still unsatisfied with the lack of oversight for commercial concerns that do hand over customer information on request, and the remaining broad terminology still found in parts of the bill. Failed amendments included seeking to alter company's immunity from customer lawsuits and making the Department of Homeland Security the recipient of data rather than the NSA.

The bill has strong support from the technology industry, not least because the regulations are much less onerous than alternative legislation. Co-sponsor Mike Rogers said that the amended bill will provide security without compromising privacy.

"This bill takes a solid step toward helping American businesses protect their networks from these cyber looters," he said. "Through hard work and compromise, we have produced a balanced bill that provides strong protections for privacy and civil liberties, while enabling effective cyber-threat sharing."

It looks likely at this stage that CISPA will pass a vote in the House, but given the convoluted state of American politics then that's just the start of the process. The Senate has to devise legislation and vote on the matter, and then the White House will take a look – but isn't keen on the legislation as it stands.

"We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections," Caitlin Hayden, a National Security Council spokeswoman, told the LA Times.

"We believe the adopted committee amendments reflect a good-faith effort to incorporate some of the Administration's important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities."

President Obama seems to be getting that the security situation needs attention, as envisaged by his Executive Order in January. But CISPA as it stands has a long and rocky road ahead, even if it does pass the House of Representatives. ®

Application security programs and practises

More from The Register

next story
ONE EMAIL costs mining company $300 MEEELION
Environmental activist walks free after hoax sent share price over a cliff
HP, Microsoft prove it again: Big Business doesn't create jobs
SMEs get lip service - what they need is dinner at the Club
Arrr: Freetard-bothering Digital Economy Act tied up, thrown in the hold
Ministry of Fun confirms: Yes, we're busy doing nothing
Help yourself to anyone's photos FOR FREE, suggests UK.gov
Copyright law reforms will keep m'learned friends busy
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
Apple smacked with privacy sueball over Location Services
Class action launched on behalf of 100 million iPhone owners
UK.gov's Open Source switch WON'T get rid of Microsoft, y'know
What do you mean, we've ditched Redmond in favour of IBM?!
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.