CISPA sponsors mull privacy change

A key amendment that could potentially satisfy one of privacy advocates' top concerns with a House cybersecurity bill is still under discussion among its sponsors.

So far, privacy advocates say the text of the amendment filed to the House Rules Committee on Wednesday does not address their concerns with the Cyber Intelligence Sharing and Protection Act, or CISPA.

One of privacy advocates' top concerns with the cybersecurity bill would have been addressed in an earlier version of the amendment, which was circulated among stakeholders early Wednesday.

The earlier copy of the amendment would have ensured that the Homeland Security Department (DHS), a civilian agency, would be the first recipient of cyber threat data from companies.

Privacy advocates and the White House have criticized CISPA, in part, because it would allow companies to share cyber threat data directly with the military without it being handled by a civilian agency first.

The earlier version of the amendment, which was obtained by The Hill, would have marked a significant concession by the sponsors of CISPA, House Intelligence Committee leaders Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.). The two lawmakers are working on the amendment with House Homeland Security Committee leaders Michael McCaul (R-Texas) and Bennie Thompson (D-Miss.). 

The House Homeland Security Committee has jurisdiction over DHS.

A copy of that earlier amendment was filed just before the House Rules Committee met on Tuesday to determine which amendments to CISPA would be voted for on the floor. That version — which does not include any lawmakers' names on it— was circulated among stakeholders. The copy has a time stamp of Tuesday afternoon.

Speaking on the House floor, House Rules Chairman Pete Sessions (R-Texas) said the amendment would be offered by McCaul and negotiations on the proposed change "continued all last night and into today."

Sessions said the amendment has been "vetted thoroughly" and is a "testament to the work on a bipartisan basis."

"These negotiations have given us what should be a good amendment," he said.

Under the earlier copy of the amendment, companies would only be able to receive liability protection from future lawsuits if they share information about malicious source code and other online threats with DHS first. DHS would be able to pass on that threat data to relevant agencies.

Companies would still be able to share cyber threat data with the National Security Agency and other departments under existing information-sharing efforts.

According to a copy of the amendment, "the president shall designate an entity within the Department of Homeland Security as the primary entity to receive cyber threat information that is shared by a cybersecurity provider or self-protected entity."

"Companies are granted immunity for sharing information directly with the NSA and that still needs to be fixed," said Michelle Richardson, legislative counsel at the American Civil Liberties Union, who saw the earlier copy of the amendment that was circulated on Tuesday.

CISPA is expected to be voted on in the House on Thursday. The bill is aimed at making it easier for companies and the government to share information about cyber threats with each other in real time.

Rogers and Ruppersberger have argued that improved information-sharing efforts could help companies thwart cyberattacks against computer systems faster.

--This report was updated at 2:01 p.m. and at 7:57 p.m.