House lawmakers are expected to markup the proposed cybersecurity legislation in a private closed-door session today in preparation for a floor vote next week.
The proposed legislation creates a framework that would allow private sector companies and the federal government to share information on the latest cyber-threats, even the classified threats. The bill, if it becomes law, would also provide liability protection to companies who get hacked if they can show they shared information and they acted in good faith to protect their infrastructure.
Supporters of the bill have pointed to the wave of denial-of-service attacks against American banks and the high-profile incidents against media companies and other organizations to underscore the seriousness of the threat. Many lawmakers believe the Iranian and Chinese governments are behind some of these incidents.
Cyber-attacks are “the most important national security threat lapping at the shores of the United States,” House Intelligence Committee Chairman Mike Rogers (R-Mich) said Monday during a conference call with reporters.
In light of recent Congressional testimony that claimed cybersecurity has surpassed terrorism as the number one threat to the United States, “information sharing is critically important for the future of cyber-defense capabilities,” Robert Rodriguez, chairman and founder of the Security Innovation Network, told SecurityWeek.
Privacy advocates oppose the bill, which they say would expose individual private Internet records, such as bank accounts and emails to government agencies. The Cyber Intelligence Sharing and Protection Act of 2013 (CISPA) is more or less the exact same version that was introduced last year and passed by the House, but ignored by the Senate. The White House also sided with the privacy advocates saying the legislation went too far. Many companies who previously supported CISPA last year have dropped their support this year, including Microsoft, Oracle, Symantec, and Facebook.
CISPA could be used as a “back-door wiretap” to access private information without a proper search wrrant, Greg Nojeim, counsel for the Center for Democracy and Technology, said last week.
While it was critical to move quickly to protect the nation’s critical infrastructure and the federal government’s networks, “regulations needs to be crafted smartly with input from both industry and the legislators to avoid not being designed in a vacuum,” Rodriguez said.
In today’s closed-door session—private because classified information may be discussed—committee members will vote on proposed amendments crafted to appease privacy advocates and build more support for the bill. Privacy groups are calling for amendments to restrict the scope and use of information collected under CISPA, such as dropping the provision that would let the government use threat data for general national security proposes.
One such amendment would require companies to remove any information that can be used to identify a specific person unrelated to a cyber threat before passing the data could be shared. Automated processes can be used to remove personal identifying information, according to the amendment. Another proposed removing some of the national security references to narrow the scope of what kind of data can be shared.
One proposed amendment will add a measure to ensure that shared information is used only to fight cyber-threats and not for marketing.
Stressing that this was not a “surveillance bill,” Rogers said on the call that the NSA or other government agencies will not be able to get data from private networks. “Nothing in this bill does anything to sacrifice your privacy or civil liberties,” Rogers said.
While information sharing is “vital” to cyber defense, the “inherent issue” is the fact that the federal government doesn’t own or control the country’s cyber-infrastructure. An independent and neutral platform for information sharing and collaboration will be necessary. “There needs to be a balance of information sharing where the Federal Government needs to supply data to organizations that own and operate our nation’s critical infrastructures so they can continue to conduct their business safely and securely,” Rodriguez said.
The White House signed an executive order in February aimed at coordinating information sharing between federal agencies and private sector, but at this point, it’s not clear if this bill has a future as there is no companion bill making its way through the Senate.