By Pete Kasperowicz and Jennifer Martinez - 04/18/13 05:00 PM EDT
The House on Thursday approved cybersecurity legislation that sets up a framework for companies and the federal government to share information about threats.
The Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624, was approved in a 288-127 vote despite ongoing fears from some lawmakers and privacy advocates that the measure could give the government access to private information about consumers.
Ninety-two Democrats voted with Republicans in favor of the bill and just 29 Republicans opposed it. The bill secured enough votes to override a veto.
That's greater support than last year, when a similar bill passed 248-168 with the support of 42 Democrats. Twenty-eight Republicans opposed that bill.
Some hope this year will be different, but President Obama has threatened to veto the House bill, and Senate Democrats have not said whether they would consider the bill at all.
Supporters argue the bill is needed to overcome current limitations in the 1947 National Security Act, which prevents intelligence officials from giving certain information to entities that do not have a security clearance. They say allowing information sharing will help companies thwart cyberattacks against their computer systems more quickly.
"So, basically what our bill does is to allow the sharing of information, which we can't do now, to the private sector," House Intelligence Committee ranking member Dutch Ruppersberger (D-Md.) said during Wednesday debate.
Ruppersberger added Wednesday that less than a dozen companies are responsible for 80 percent of U.S. information networks, which means the government and these companies need to be able to talk to each other about emerging cyber threats.
But privacy groups and several members of the House fear the bill might still give the government, including the National Security Agency, access to private consumer information. The White House threatened to veto the bill because it argues the measure does not require companies to remove personal data to the extent possible before passing it on to the government and other businesses.
House Minority Leader Nancy Pelosi (D-Calif.) said she was "disappointed" that this issue was not resolved in the bill, and said she would vote against CISPA.
"They can just ship the whole kit and caboodle over," Pelosi said of companies' obligations on data sharing. "We are saying, minimize what is relevant to our national security. The rest is none of the government's business." Pelosi also argued that the bill provides broad liability protection for companies that send information to the government, and said that liability should be narrowed.
In an effort to address fears about the sharing of information with the government, members agreed to a last-minute amendment that would make it more likely that companies would share threat data with the Homeland Security and Justice departments. It would establish that a center within the DHS has the federal hub for cyber threat information-sharing efforts, and designate the Justice Department as the hub for all cyber crime information.
That amendment passed in a 409-5 vote; the "no" votes came from Republicans. Supporters stressed that this change would help ensure this data is run through civilian government agencies before going right to the military.
"This is an important amendment," House Intelligence Committee Chairman Mike Rogers (R-Calif.) said Thursday. "This is that civilian face that so many talked about for so long on this bill."
House Homeland Security Committee Chairman Mike McCaul (R-Texas), who offered the amendment, said the change should help ensure civil liberties are protected.
"This is an important improvement, and provides an additional layer of review of information-sharing procedures by a robust civilian privacy office in order to ensure American civil liberties are protected," McCaul said. Ranking committee member Bennie Thompson (D-Miss.) said he supports the change, which he said would let people "take comfort knowing that their information will be more likely shared with an appropriate civilian agency."
The fear about increasing the government's access to personal information was a key issue during Wednesday's debate on the bill, during which Rogers repeated several times that nothing in the bill allows government monitoring of networks.
"This is not a surveillance bill," Rogers said. "It does not allow the national security agencies, or the Department of Defense, any of our military organizations, to monitor our domestic networks. It does not allow that to happen, we would not allow that to happen."
But with President Obama's veto threat looming, it's not clear whether the House's efforts to improve the bill this year will give it any life in the Senate. Senate Democrats have not said whether they would consider the bill at all.
In addition to passing amendments on Wednesday, the House disposed of several other amendments on Thursday, from:
— Kyrsten Sinema (D-Ariz.), to require the Inspector General of the Department of Homeland Security to report to Congress on cyber information. Other departments are already required to report to Congress. Passed 411-0.
— Loretta Sanchez (D-Calif.), to require the privacy officer and the officer for civil rights and civil liberties of the Department of Homeland Security to issue an annual report on data privacy and civil liberties. Passed voice vote.
— Doug LaMalfa (R-Calif.), to clarify that nothing in the bill authorizes the government to target U.S. citizens for surveillance. Passed 413-0.
— Erik Paulsen (R-Minn.), including a sense of Congress that international cooperation should be encouraged on cybersecurity issues. Passed voice vote.
— Joe Barton (R-Texas), to clarify that companies sharing cyber threat information with other companies cannot treat this sharing relationship as a loophole to sell a consumer's personal information for a marketing purpose. Passed voice vote.
— Sheila Jackson Lee (D-Texas), to clarify that cybersecurity service providers are not required provide information about cybersecurity incidents that don't involve attacks against government information systems. Passed voice vote.