Cybersecurity bill advances in House

The House Intelligence Committee passed a controversial cybersecurity bill on an 18-2 vote Wednesday.

The Cyber Intelligence Sharing and Protection Act, known as CISPA, is expected to be voted on in the House next week with a set of other cybersecurity-focused bills.


House Intelligence Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.), the authors of the bill, expressed optimism that Wednesday's markup vote signaled they have enough momentum to pass CISPA through the House, as it did last year.

"What we came up with, we think, is the right approach. It is the one bill out of everything you've seen on both sides of this great institution of the United States Congress that protects a free and open Internet and allows people to share cyber threat information to protect their clients, their business, their [personally identifiable information]," Rogers told reporters following the markup. "It's been a work in progress."

The aim of the bill is to encourage industry and government to share information about malicious source code and other online threats with each other in real time, so companies and government agencies can take steps to thwart cyberattacks.

The bill is intended to remove the legal hurdles that discourage companies from sharing cyber threat data with the government. Companies have said they are hesitant to share threat information with the government because it may result in legal action against them.

A set of six amendments backed by Rogers and Ruppersberger were incorporated into the bill during the markup. Among the approved changes, the bill would require the government to strip personal information from the cyber threat data they receive from companies. The Intelligence panel also agreed to strike a provision from the bill that would allow the government to broadly use the information for "national security purposes.'

Many of the amendments were aimed at allaying the concerns of privacy groups and the White House. So far, the American Civil Liberties Union, Center for Democracy and Technology and other privacy advocates are not won over by the changes. 

The panel also approved language stating that the bill would not allow companies to "hack back" against other entities that have stolen trade secrets or other proprietary information from them.

Reps. Adam SchiffAdam Bennett SchiffMask rules spark political games and a nasty environment in the House CIA says 'Havana syndrome' unlikely a result of 'worldwide campaign' by foreign power The Hill's Morning Report - Biden to make voting rights play in Atlanta MORE (D-Calif.) and Jan Schakowsky (D-Ill.) both voted against the bill during the markup. Amendments offered by the two lawmakers, which were backed by privacy groups, were not agreed to.

"I think there are positive changes to the bill but they don't go far enough," Schiff said after the markup.

"I do think that the reservations that the White House has stated to the bill are still there and my expectation is that they would be appreciative of the steps that were taken, but also call for additional steps," Schiff later said in response to a question about how he expects the administration to react to the revised bill.

Civil liberties and privacy groups have rallied against CISPA, arguing it would undermine existing privacy laws and increase the pool of people's electronic communications that flow to the National Security Agency (NSA). This week a group of privacy advocates launched an online campaign to rally public opposition to CISPA.

The bill leaves it up to companies to decide which government entity they want to share cyber threat data with, although the NSA is among the list of agencies that the measure allows them to relay information to. CISPA would also enable companies to receive valuable government intelligence about cyber threats and grant them liability protection from legal action if they share threat data with the government.

Rogers said the changes adopted to the bill on Wednesday add another layer of privacy and oversight protections to it.
"You can't get more oversight on making sure that people's personally identifiable information is protected than the way we structured it in this bill," he said.

The House Intelligence Committee leaders argue that the bill is needed to help American companies stop foreign hackers from siphoning trade secrets and proprietary data from their computer systems, as well as protect private-owned critical infrastructure from cyberattacks.

"We feel we have to move now," Ruppersberger said. "We don't want another 9/11."

The bill cleared the House Intelligence panel on a 17-1 vote last year and passed the House last spring. CISPA was not taken up in the Senate.  

The White House issued a veto threat against the bill a day before it went to the floor for a vote last year. Among its concerns, the Obama administration said it believe the bill lacked sufficient privacy protections.

In a statement, the White House said the changes adopted to CISPA "reflect a good faith effort" to address some of the substantive concerns it has with the measure, but don't go far enough to solve its "fundamental" issues with the bill. It's still unclear whether the administration will issue another veto threat against the measure before it heads to a vote.

"The administration seeks to build upon the productive dialogue with Chairman Rogers and ranking member Ruppersberger over the last several months, and the administration looks forward to continuing to work with them to ensure that any cybersecurity legislation reflects these principles," said White House spokeswoman Caitlin Hayden in a statement. "We believe the adopted committee amendments reflect a good faith-effort to incorporate some of the administration’s important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities."

Schiff's amendment would have required companies to remove personal information from cyber threat data prior to sharing it with the government or other businesses. Under the bill, companies are not required to take that step when sharing threat data with the government.

Schakowsky's amendments would have narrowed the liability protection available to companies under the bill and ensured threat data would be handled by a civilian agency, like the Homeland Security Department, before being funneled to the NSA and other military agencies. 

--This report was updated at 9:23 p.m.