CISPA Authors Seek to Improve Bill’s Privacy Protections
House Intelligence Committee leaders plan to improve and clarify their cybersecurity information sharing bill, they said during a press call Monday. Their comments came ahead of the committee’s markup of the Cyber Intelligence Sharing and Protection Act (CISPA) (HR-624) scheduled for 2 p.m. Wednesday (http://1.usa.gov/YdSCy7). They mentioned six of the amendments that the committee will consider, some of which are aimed at increasing privacy protections to curb the dissemination of personally identifiable information. The markup will be in room HVC-304 of the Capitol Visitor Center, which is considered a closed space and will not be open to the public or members of the press, a committee spokeswoman confirmed Monday.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
Committee Chairman Mike Rogers, R-Mich., said the committee would strike language from the bill that would permit the government to share cyberthreat data for national security reasons. The provision will “narrow the use of cyberthreat information,” said Rogers, who said the committee will seek to remove the language due to “misunderstandings” by some stakeholders. Rogers said the committee will consider a provision to limit cybersecurity information use by private sector entities and add language to the bill to clarify that it would not authorize companies to “hack back” into the networks of companies that hacked them.
"It is clear when you read the bill this is not a surveillance bill,” said Rogers. “It does not allow the NSA or any government agency to plug into domestic networks and listen in. That does not happen,” he said. He said the committee will continue to consider legislative changes to ensure that “nothing in this bill will do anything to sacrifice your privacy or civil liberties.” The White House and civil liberties groups have said the bill must incorporate sufficient privacy safeguards in order to gain their support.
Ranking Member Dutch Ruppersberger, D-Md., said the committee will consider an amendment to require the government to establish mandatory procedures to minimize personally identifiable information it receives from the private sector. Ruppersberger said the committee will also consider amendments that would add roles for the privacy and civil liberties oversight board and provide additional privacy oversight responsibilities for agencies that share cyberthreat information.
Ruppersberger said he and Rogers have maintained a dialogue with the White House to resolve the administration’s concerns with the bill. “The White House is not behind our bill but we are working with them to address those issues,” Ruppersberger said. Rogers said the White House and the committee have a number of issues they have been working though since the executive order was signed in February: “We are closer on some and haven’t gotten close on others.”
The White House was mum on whether it planned to issue a veto threat on the bill, as it did last year, but said the legislation must incorporate “proper” privacy protections. A White House spokesman said in an email Monday the administration would not weigh in with an official policy statement until the bill is “ready for the floor, so as not to prejudge the legislative process.” “Our belief continues to be that information sharing improvements are essential to effective legislation, but they must include proper privacy and civil liberties protections, reinforce the appropriate roles of civilian and intelligence agencies, and include targeted liability protections.” Last year the White House said the president would not sign CISPA into law because it failed to adequately protect the privacy and civil liberties of Americans or protect the nation’s core critical infrastructure from cyberattacks, among other concerns (CD May 7 p3).
Privacy groups dug their trenches ahead of the markup, with petitions urging President Barack Obama to issue a veto threat on the bill. The American Civil Liberties Union said it’s seeking to “stop CISPA dead in its tracks,” in one petition (http://bit.ly/145dPMI). The group said the bill, as currently written, would give companies “unprecedented power to hand your personal information from the internet, including from private communications, over to government agencies without a warrant,” according to the petition. The Electronic Frontier Foundation urged citizens to sign a separate petition asking the president to veto the bill (http://bit.ly/15iOoI9). That petition said CISPA would “create a gaping new exemption to existing privacy law” that would permit any company to obtain “personal and private information from your accounts and disclose that data to the U.S. government.” Representatives from both groups held a Q-and-A session on Reddit Monday (http://bit.ly/ZvNBHb).
Separately, the Software and Information Industry Association (SIIA) offered its support for the bill, in a letter sent Monday to the committee chairman and ranking member (http://bit.ly/1506gvS). SIIA President Ken Wasch said the bill would “provide needed legal certainty that threat and vulnerability information voluntarily shared with the government would be provided safe harbor against the risk of lawsuits,” according to the news release. The bill would also “provide a critical exemption from antitrust laws that currently discourage information exchanges between private companies,” he said. Wasch said the group was thankful that lawmakers had “continued to improve key elements to address privacy concerns” related to how the government is able to use data it receives from companies.