A House panel today approved a controversial cyber-security bill. By a vote of 18 to 2, the House Intelligence Committee approved the Cyber Intelligence Sharing and Protection Act (CISPA).

The vote, or markup, was conducted during a private session since it involved classified information. It is expected to be taken up by the full House next week.

"Cyber-hackers from nation-states like China, Russia, and Iran are infiltrating American cyber networks, stealing billions of dollars a year in intellectual property, and undermining the technological innovation at the heart of America's economy," said bill sponsor and committee chairman Mike Rogers. "This bill takes a solid step toward helping American businesses protect their networks from these cyber looters. Through hard work and compromise, we have produced a balanced bill that provides strong protections for privacy and civil liberties, while enabling effective cyber-threat sharing. The decisiveness of the vote shows the tremendous bipartisan support for this bill."

CISPA would allow for voluntary information sharing between private companies and the government in the event of a cyber attack. Backers argue that it's necessary to protect the U.S. against cyber attacks from countries like China and Iran, but opponents said that it would allow companies to easily hand over users' private information to the government.

A version of CISPA passed the House a year ago, but it failed to make it through the Senate, while the White House threatened to veto it. As a result, Reps. Rogers and Ruppersberger this week announced a few amendments that they hoped would appease detractors enough to get the bill signed into law.

At today's markup, the committee approved six amendments.

A Managers' Amendment that made some "non-controversial technical corrections" regarding the information-sharing purposes of the bill, according to a committee spokeswoman.

An amendment from Rep. Mike Thompson, a California Democrat, calls on the Privacy and Civil Liberties Oversight Board (PCLOB) and the individual agency privacy officers to oversee the government's use of data collected from private companies.

An amendment from Rep. Jim Langevin, a Rhode Island Democrat, clarifies that the bill does not authorize hacking, as was alleged by the Center for Democracy and Technology recently.

An amendment from Reps. Joe Heck (R-Nev.) and Jim Himes (D-Conn.) limits private companies' use of data they receive from the government to cyber security purposes. In other words, if Google or Facebook received information from the feds about a cyber attack, they could only use it to stop an attack on their own networks. They could not repurpose that data and somehow use it in marketing materials or for business-related endeavors.

Another amendment from Rep. Himes establishes minimization procedures that limit the receipt, retention, and use of personally identifiable information that is not required to stop a cyber attack while ensuring that critical cyber threat information is passed along in a timely manner.

An amendment from Rep. Terri Sewell, an Alabama Democrat, strikes a "national security" provision, which would have allowed the Department of Homeland Security and other agencies to use shared information for "national security" purposes, without explaining what that might entail. It prompted concern from groups like the Electronic Frontier Foundation, which argued last year that the national security provision and CISPA as a whole "threatens to decimate Internet users' privacy in the name of security."

Voting Against CISPA

One member who voted against CISPA today was Rep. Adam Schiff, a California Democrat. In a statement, Schiff said he was disappointed that the committee rejected an amendment he put forth that would require companies sharing cyber-security information to strip that data of personally identifiable information.

"It is not too much to ask that companies make sure they aren't sending private information about their customers, their clients, and their employees to intelligence agencies, along with genuine cyber security information," Rep. Schiff said. "While I support increased information sharing, without requirements that companies make sure they aren't sharing Personally Identifiable Information, as well as making the Department of Homeland Security the initial point of receipt, I cannot support the bill in its current form."

Rep. Jan Schakowsky, an Illinois Democrat, was the other member of the committee to vote against CISPA. In a statement, she said that the bill does not yet achieve the right balance between cyber-security protection and protection for civil liberties and privacy.

Schakowsky said he offered three amendments, none of which were adopted. "My amendments would have strengthened privacy protections, ensured that consumers can hold companies accountable for misuse of their private information, required that companies report cyber threat information directly to civilian agencies and maintained the long standing tradition that the military doesn't operate on U.S. soil against American citizens," she said.

"I strongly agree with the need to enact effective cybersecurity legislation, and commend the bipartisan effort of the House Intelligence Committee, but this bill doesn't sufficiently protect individual privacy rights," she concluded.

Killing Digital Privacy?

Another person who has concerns about CISPA is Internet activity and Reddit co-founder Alexis Ohanian, who argued in a video message today that "CISPA basically says ... your digital privacy is irrelevant."

Ohanian urged CISPA opponents to sign a petition on SaveYourPrivacyPolicy.org, which asks Internet giants Google, Twitter, and Facebook to speak out against CISPA. Last year, Facebook came out in support of CISPA, but amidst the backlash, it issued more tepid support for the bill this time around.

Ohanian played an active role in the Jan. 2012 Internet blackout that led to the demise of the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA). He argued that the same type of Internet-based activism can also help defeat CISPA. "Internet freedom [and] Internet privacy matters," he said.

Further Reading

Security Reviews