CISPA Improvements Unsatisfactory, White House Says
The White House said it’s not satisfied with a cybersecurity bill despite its adoption of some amendments aimed at addressing privacy concerns approved during markup by House Intelligence Committee members. The amendments “reflect a good faith-effort to incorporate some of the Administration’s important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities,” White House spokeswoman Caitlin Hayden said Thursday via email. The Cyber Intelligence Sharing and Protection Act (CISPA) (HR-624) passed the committee 18-2 during a closed markup session Wednesday afternoon. The bill, which passed the House last year but didn’t reach the Senate, is now expected to be considered by the full House next week, the committee said in a news release after the vote.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The White House did not make an official veto threat but said the bill “must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections.” Last year the White House said the president would not sign CISPA into law because it failed to adequately protect the privacy and civil liberties of Americans or protect the nation’s core critical infrastructure from cyberattacks, among other concerns (CD May 7 p3). “The Administration seeks to build upon the productive dialogue with Chairman [Mike] Rogers [R-Mich.] and Ranking Member [Dutch] Ruppersberger [D-Md.] over the last several months, and the Administration looks forward to continuing to work with them to ensure that any cybersecurity legislation reflects these principles,” Hayden said.
Ruppersberger said in a statement following the vote the bill was the result of a collaborative process with privacy groups, the business community and the White House. “The adoption of a host of amendments in markup today supported by these groups shows a true commitment to making our bill better and improving privacy and civil liberties protections.” Rogers said in a statement Wednesday afternoon the “decisiveness” of the committee vote shows the “tremendous bipartisan support for this bill.” “Through hard work and compromise, we have produced a balanced bill that provides strong protections for privacy and civil liberties, while enabling effective cyber-threat sharing.”
The committee adopted six amendments including provisions to remove the bill’s authorized “national security” use language, and establish federal data minimization procedures to limit the receipt, retention and use of personally identifiable information. The committee approved an amendment from Rep. Jim Langevin, D-R.I., to clarify that the bill would not authorize companies to hack into other companies’ networks to take back information that was stolen from them. Committee members approved a provision to increase oversight roles for the Privacy and Civil Liberties Oversight Board on the government’s use of information received from the private sector and a manager’s amendment with some technical corrections. The bill now includes a provision to limit the private sector’s use of any cybersecurity information received from the government for only cybersecurity uses, rather than for marketing or other non-cybersecurity purposes.
Langevin said he was pleased his amendment helps address concerns from civil liberties advocates that companies may use cyber countermeasures against those who attack them, but said more must be done to secure networks from attacks. “CISPA is not a final solution to cybersecurity,” he said in a news release following the vote. “While it promises to greatly improve situational awareness, information sharing alone will not allow us to prevent every attack.” Langevin said legislation is needed to require owners and operators of the nation’s critical infrastructure to meet minimum cybersecurity standards and seek to educate and train more cybersecurity professionals.
Not all committee members were pleased with the final wording, particularly Rep. Adam Schiff, D-Calif., whose amendment to require that companies scrub unrelated private information from shared data was defeated. “It is not too much to ask that companies make sure they aren’t sending private information about their customers, their clients, and their employees to intelligence agencies, along with genuine cyber security information,” he said in a news release after the vote. The committee also defeated an amendment he supported which would have made the Department of Homeland Security the lead agency in the coordination and sharing of cyberthreat information between the private and public sectors. “While I support increased information sharing, without requirements that companies make sure they aren’t sharing personally identifiable information, as well as making the Department of Homeland Security the initial point of receipt, I cannot support the bill in its current form,” he said.
The ACLU said it’s not satisfied with the amended legislation and urged House members to reject it when it comes to a floor vote. The changes to the bill “don’t address the major privacy problems we have been raising about CISPA for almost a year and a half,” said Michelle Richardson, ACLU legislative counsel, in a news release. “CISPA still permits companies to share sensitive and personal customer information with the government and allows the National Security Agency to collect the Internet records of everyday Americans,” she said. “The bill continues to do so even though the NSA maintains it does not want nor need that power and cybersecurity experts tell lawmakers that sharing personal information will not protect critical infrastructure from intrusion and attack.”
BSA applauded the committee’s passage of CISPA as a “constructive step in the legislative process.” In a news release the group specifically commended the committee’s adoption of “several amendments to strengthen privacy protections as the public and private sectors share information about cyber threats,” said BSA President Robert Holleyman.