CISPA Passes House: What's Next?

Cybersecurity information-sharing bill moves to the Senate, but civil liberty groups vow to continue fighting it tooth and nail.
Top 10 Open Government Websites
Top 10 Open Government Websites
(click image for larger view and for slideshow)
The House of Representatives Thursday voted to advance the Cyber Intelligence Sharing and Protection Act (CISPA).

The 236-185 vote means that the full House can vote on CISPA, which may happen as early as Friday. The bill, written by Mike Rogers (R-Mich.) and C. A. Dutch Ruppersberger (D-Md.), was designed to allow U.S. intelligence agencies to share threat data with the private sector.

The approval of the rules vote happened despite the Obama administration's promise on Wednesday to veto CISPA. In a statement, the White House said that the bill "fails to provide authorities to ensure that the Nation's core critical infrastructure is protected." In particular, the White House and Democrats are especially concerned that the businesses responsible for protecting the critical infrastructure wouldn't be held accountable for their actual security practices. They've likewise warned--in the words of a statement issued by the White House--that the bill could "undermine the public's trust in the government as well as in the Internet by undermining fundamental privacy, confidentiality, civil liberties, and consumer protections."

"This bill in its current form ... is an unprecedented, sweeping piece of legislation that would waive every single privacy law ever enacted in the name of cybersecurity," said Rep. Jared Polis (D-Colo.).

[ For more background on CISPA's path to the Senate, see Is CISPA Worth Saving? ]

But Republicans countered that CISPA had been designed to include privacy safeguards for any data that businesses share with the government. "It significantly limits the federal government's use of that information that the private companies voluntarily provide, including the government's authority to search data," said Rep. Rich Nugent (R-Fla.).

A bipartisan Senate bill that's under development, however, would require businesses in the critical infrastructure to comply with new Department of Homeland Security regulations.

Several last-minute revisions by Rogers, the bill's primary author, were meant to make the bill more palatable to critics. But some changes appeared to be little more than window dressing. For example, one section of the bill indemnified businesses who failed to act on any security intelligence they received. "If a company learns about a security flaw, fails to fix it, and users' information is misused or stolen, companies cannot be held liable as long as the company acted 'in good faith' according to CISPA," said Rainey Reitman, activism director at the Electronic Frontier Foundation (EFF), in a blog post.

How did Rogers address that criticism? In a section on how businesses would be indemnified, Reitman said, "He changed the phrase 'for using cybersecurity systems or sharing information in accordance with this section' to 'for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information.' Basically, he didn't fix it at all."

Meanwhile, moments before the vote on the bill, Rogers accused groups that opposed CISPA of "obfuscation," reported Wired. "Stand up for America. Support this bill," he said to the House.

With CISPA set to move to the Senate for consideration, civil liberties groups have vowed to continue trying to take it down. "Hundreds of thousands of Internet users spoke out against this bill, and their numbers will only grow as we move this debate to the Senate," said Reitman in a statement. "We will not stand idly by as the basic freedoms to read and speak online without the shadow of government surveillance are endangered by such overbroad legislative proposals."

The Center for Democracy and Technology (CDT) likewise released a statement condemning the passage of CISPA "in such flawed form and under such a flawed process." While the online civil liberties group applauded the Intelligence Committee's work, which led to more precise definitions and scope surrounding which types of information could be shared, it said that significant privacy concerns remained.

"We are also disappointed that House leadership chose to block amendments on two core issues we had long identified: the flow of information from the private sector directly to NSA and the use of that information for national security purposes unrelated to cybersecurity," said CDT spokesman Brock Meeks. "We intend to press these issues when the Senate takes up its cybersecurity legislation."

Monday, a group of more than 60 leading security experts and engineers released a letter calling for an end to CISPA and other overly broad cybersecurity bills. "The bills nullify current legal protections against wiretapping and similar civil liberties violations for that kind of broad data sharing. By encouraging the transfer of users' private communications to U.S. federal agencies, and lacking good public accountability or transparency, these 'cybersecurity' bills unnecessarily trade our civil liberties for the promise of improved network security," read the letter, which was signed by Bruce Schneier, chief security technology officer of BT, technologist Dan Gillmor, and privacy expert Christopher Soghoian, among others.

In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.