CISPA cybersecurity legislation vote due in next 48 hours
All your data are belong to us
The US House of Representatives has scheduled to vote on the Cyber Intelligence Sharing and Protection Act (CISPA) for Wednesday or Thursday, and the pro and anti camps are marshaling their forces to try and sway the result.
#CISPA slated for House Floor on Wed & Thurs (April 17 & 18)— House Intel Comm (@HouseIntelComm) April 15, 2013
CISPA, or H.R. 624 to give it its proper name, sets up a framework for government agencies to share attack information with private companies to help mitigate attacks. But it also overrides all existing computer privacy legislation by allowing the companies to share personal information with the government - anonymized or not - to help with "cybersecurity purposes," and be immune from prosecution if they do.
It's this latter side of the legislation that has some people's backs up, and a coalition of 34 privacy and online groups have banded together to try and stop the legislation. Supporters (who include Facebook, Microsoft and Intel) point out that alterations have been made to safeguard private information as much as possible, but the coalition isn't impressed.
"Although some amendments were adopted in markup to improve the bill's privacy safeguards, these amendments were woefully inadequate to cure the civil liberties threats posed by this bill," they said in an open letter.
"In particular, we remain gravely concerned that despite the amendments, this bill will allow companies that hold very sensitive and personal information to liberally share it with the government, including with military agencies."
This is the second outing for CISPA. It was originally introduced by representatives Mike Rogers (R-MI) and "Dutch" Ruppersberger (D-MD) last year and was passed by the House of Representatives last April by a vote of 248 to 168. The lack of privacy protections in this bill prompted the White House to sort-of threaten to veto the legislation, but as it turns out there was never a need to.
In August CISPA was scuppered by a Republican filibuster in the Senate, along with the addition of amendments on abortion, gun control, and Senate minority leader Mitch McConnell's (R-Kentucky) attempt to repeal the Affordable Care Act. The bill looked dead and buried but in January its sponsors brought it back from the dead.
Initially CISPA v2.0 was exactly the same bill, but some amendments have since been made by the House Permanent Select Committee on Intelligence, who met in a secret session to discuss the bill and passed the changes on an 18-2 vote.
One amendment requires the Inspector General and the Privacy and Civil Liberties Oversight Board to regularly report on how the government's use of CISPA is impacting privacy, while another requires information to only be gathered for a "cybersecurity purpose" rather than the previous catch-all of "national security."
But privacy groups are still unsatisfied with the lack of oversight for commercial concerns that do hand over customer information on request, and the remaining broad terminology still found in parts of the bill. Failed amendments included seeking to alter company's immunity from customer lawsuits and making the Department of Homeland Security the recipient of data rather than the NSA.
The bill has strong support from the technology industry, not least because the regulations are much less onerous than alternative legislation. Co-sponsor Mike Rogers said that the amended bill will provide security without compromising privacy.
"This bill takes a solid step toward helping American businesses protect their networks from these cyber looters," he said. "Through hard work and compromise, we have produced a balanced bill that provides strong protections for privacy and civil liberties, while enabling effective cyber-threat sharing."
It looks likely at this stage that CISPA will pass a vote in the House, but given the convoluted state of American politics then that's just the start of the process. The Senate has to devise legislation and vote on the matter, and then the White House will take a look – but isn't keen on the legislation as it stands.
"We continue to believe that information sharing improvements are essential to effective legislation, but they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections," Caitlin Hayden, a National Security Council spokeswoman, told the LA Times.
"We believe the adopted committee amendments reflect a good-faith effort to incorporate some of the Administration's important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities."
President Obama seems to be getting that the security situation needs attention, as envisaged by his Executive Order in January. But CISPA as it stands has a long and rocky road ahead, even if it does pass the House of Representatives. ®
Sponsored: Network DDoS protection