Security Experts:

CISPA Passes After Surprise Vote - Heads to Senate While Facing Veto

The Cyber Intelligence Sharing and Protection Act (CISPA) passed on Thursday with a 248-168 vote in the U.S. House of Representatives. The vote was a day early, and was held just after a number of amendments were approved. As the bill heads to the U.S. Senate, its lost notable form a high profile company and faces a veto from the Obama Administration.

CISPA was passed with a Republican majority, but more than a few Democrats were in favor of the bill as well. If it moves past the Senate, it would fall to President Obama to either sign the bill into law or veto it. If the administration’s previous remarks hold, President Obama would be advised to veto the bill.

The main component of CISPA is the fact that it increases the amount of information shared between the private sector and the government. Moreover, if the said information is shared, which can include personally identifying information, as well as all other logged data; the organizations in the private sector are shielded from any legal action taken against them.

“H.R. 3523 would inappropriately shield companies from any suits where a company's actions are based on cyber threat information identified, obtained, or shared under this bill, regardless of whether that action otherwise violated Federal criminal law or results in damage or loss of life. This broad liability protection not only removes a strong incentive to improving cybersecurity, it also potentially undermines our Nation's economic, national security, and public safety interests,” the OMB said in a statement before the vote was taken.

As it stands now, the “any lawful purpose” wording – as it relates to when information is required to be shared with the government or other private organizations – has been changed to five named uses; cyber security, cyber crime, protecting citizens from bodily harm, protecting children from child pornography, and national security. As long as one of those five reasons are used, then the government will get its information and the organizations that shared it are shielded.

Large organizations, such as Facebook, AT&T, IBM, Oracle, and Symantec, support CISPA. Reports surfaced that Microsoft ended their support of the bill in order to “honor the privacy and security promises”, the company told The Hill that it does still support the bill. "We supported the work done to pass cybersecurity bills last week in the House of Representatives and look forward to continuing to work with all stakeholders as the Senate takes up cybersecurity legislation,” a Microsoft spokesperson told The Hill.

Torsten George, the VP of worldwide marketing at risk management firm Agiliance applauds CISPA, noting that enterprises have waited years in order to see better cooperation between the private sector and the government.

“People reveal more about themselves on Facebook than anything the government would be interested in,” he said in an interview with CSO.

According to CSO’s Taylor Armerding, George also noted that the risks to enterprises and to citizens in general from cyber attacks are much greater than the threat of lost privacy. "The power grid is under daily attack," George told CSO, and if such an attack succeeds, “it could have a major impact.” So in essence, it’s ok to trade the privacy of your personal information and allow private organizations to hand it off because the power grid is being probed for vulnerabilities.

It seems that George is in the minority. In a letter to Congress published by the EFF, several experts said that while cybersecurity is important, “strong computer and network security does not require Internet users to sacrifice their privacy and civil liberties.”

For now, the EFF and other privacy advocates will keep fighting.

"As the Senate takes up the issue of cybersecurity in the coming weeks, civil liberties will be a central issue. We must do everything within our power to safeguard the privacy rights of individual Internet users and ensure that Congress does not sacrifice those rights in a rush to pass vaguely-worded cybersecurity bills," said Lee Tien, EFF Senior Staff Attorney.

In addition to privacy concerns, some feel that while raising the awareness and sharing of certain information could be beneficial in some cases, relying on the government to defend networks is a risky proposition and organizations must remain vigilant.

“The CISPA Cyber Security bill has certainly raised the general awareness of this important issue, but the greatest risk organizations can take is to remain reactive to IT security threats," said Mark Hatton, president and CEO of CORE Security Technologies. "Enterprise organizations cannot rely on the government alone to defend their IT environments and protect their intellectual property from sophisticated, targeted cyber attacks. Organizations must learn to combat evolving threats in a completely different way – by being predictive. By proactively monitoring their networks, they can identify weaknesses before they are attacked and not just scramble to pick up the pieces after.”

Updated to reflect Microsoft's statement reaffirming its support for the CISPA.

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.