Virtually all of D.C. thinks the government and industry should exchange cyberthreat data. | REUTERS Cybersecurity: A new old fight

Battling rogue hackers and digital spies — it’s precisely the sort of cutting-edge challenge that typically confounds Congress.

But the cybersecurity debate about to begin in the House this week is merely a more modern take on an old political fight: a classic lobbying battle set against the backdrop of a post-Sept. 11 struggle between privacy and security.


Virtually all of Washington believes the government and industry should exchange data about new cyberthreats — not unlike regulators in the not-too-distant past who shared a desire to find new methods of preventing terrorism.

In both debates, however, it’s always been about the details. And on cybersecurity, Congress, the White House, private companies and interest groups just don’t see eye to eye. Each side is lobbying hard to shape the final product as regulators realize it’s difficult to safeguard civil liberties while thwarting the sort of attacks that might darken a city or disrupt Wall Street trading.

“I think CISPA is an illustration of a growing challenge to accommodate national security and privacy in an increasingly electronically interconnected world,” said Rep. Adam Schiff (D-Calif.), one of the bill’s biggest skeptics.

The supporters of the House’s proposal — known as the Cyber Intelligence Sharing and Protection Act, or CISPA — believe their proposal already strikes that balance. Even if it doesn’t, they likely have the votes to advance their information-sharing bill past the chamber when it comes to the floor.

However, they face continued criticism from other corners of the Capitol and the White House, which in 2012 threatened to veto CISPA because of its privacy pitfalls. The bill still cleared the House last year.

“We’ve come a long way on dealing with privacy issues,” Rep. Dutch Ruppersberger (D-Md.), one of its chief authors, said in an interview with POLITICO. “Until we have a bill passed where we can share information, we cannot protect our country from these attacks.”

There’s sincere interest in Washington to fortify the country’s defenses against powerful digital malefactors, who increasingly target corporate trade secrets, political intelligence and more.

To many, the most significant threat comes from hackers believed to be located in China — an issue the administration said Saturday it would address more closely with its Chinese counterparts through a new working group.

Even as lawmakers cited those foreign threats, though, Congress failed repeatedly last year to advance meaningful cybersecurity reform. In the months to follow, President Barack Obama signed a limited executive order focused on the digital defenses of power plants, water systems and other entities deemed critical infrastructure.

The administration’s order isn’t a perfect substitute for a new law — a reality that has Congress ready to return to the debate and the House ready to return to CISPA. Much as they did last year, House Intelligence Committee Chairman Mike Rogers (R-Mich.) and ranking Democrat Ruppersberger, its authors, have made key, privacy-focused changes to the bill: Their latest string of revisions would restrict how the government uses shared data while instituting new reporting requirements.

But the fundamental fight that scuttled CISPA in 2012 — its balance between privacy and security — certainly remains on the political main stage in 2013. As the tug of war resumes, its allies and opponents on and off Capitol Hill are mobilizing aggressively to drag CISPA closer to their camp.

Security-minded members of Congress are out defending the bill — with Rogers holding a series of exclusive, members-only briefings with interested lawmakers, POLITICO has learned, including one with Gen. Keith Alexander, the head of U.S. Cyber Command. Rogers was not available to comment for this story.

At least for now, the bill certainly has the support of some chamber defense leaders. “I think it’s good,” said Rep. Mac Thornberry (R-Texas), a leader on the Armed Services Committee. “It’s obviously always possible somebody who’s looking for an objection could find one; on the other hand, I think the bill has gotten stronger as time goes on, and I think it’s in a very good place right now.”

Top business organizations — from the Information Technology Industry Council to the U.S. Chamber of Commerce — have mobilized to defend CISPA in its current state. In a letter last week, they rebuffed Democrats’ attempts to mandate they take new, “reasonable” steps to strip Americans’ private data from the information they swap, a change they felt would deter participation in the program.

A second letter from trade groups representing the biggest wireless carriers and telecom firms, sent to House leaders on Friday, urged the chamber to pass CISPA swiftly. Those coalitions are among the many sectors, from banking to energy, that have spent untold millions of dollars over the past year to lobby in support of CISPA — and its few mandates on industry.

Their opponents: The ACLU, with others like the Center for Democracy & Technology and the Electronic Frontier Foundation, which have fought aggressively against the measure by rallying Internet activists and others. At least some on their side see parallels in the House’s current work with the intelligence and surveillance debates that preceded it.

“I think it’s important to look at [CISPA] in the context of the last 12 years,” said Michelle Richardson of the American Civil Liberties Union. “You have this unfortunate, perfect storm of the government getting more information, and this information getting more and more sensitive.”

CISPA’s biggest skeptics at least are somewhat satisfied with the limited changes blessed by Rogers and Ruppersberger this year. No longer, for example, can federal agencies on the receiving end of cybersecurity data use it for “national security” purposes — in the eyes of critics a broad bucket that could have brought significant harm to Americans’ civil liberties. The government also would be required to take significant steps to ensure Americans’ personal data isn’t caught in the fray.

That said, opponents believe the bill still creates the potential that Americans’ personal information could land in the hands of the National Security Agency. And a collection of congressional Democrats and civil-liberties groups still seeks controls on companies that share data with one another — the exact sort of change tech leaders and others have warned against.

Rogers and Ruppersberger reject any suggestion that NSA might spy on Americans. And they say any new limits on participants could deter them from sharing data with each other and the government, thereby harming the country’s cyberdefenses.

Nevertheless, those explanations likely won’t assuage the privacy concerns of the Obama administration, which listed those very two things in its 2012 veto threat. The White House did not comment on whether it might proceed similarly in 2013.

Those changes aren’t enough for the Senate, either. A spokeswoman for Sen. Tom Carper (D-Del.), who leads the chamber’s homeland security panel, told POLITICO the lawmaker believes recent improvements to CISPA “[do] not do enough to address privacy concerns or better safeguard our nation’s critical infrastructure.” She reiterated that Carper is focused on a more comprehensive approach to cybersecurity reform as the House proceeds piecemeal.

Ruppersberger acknowledged the work still to come.

While he said he thinks CISPA has sufficient House support “based on our vote count,” he said it’s more important than ever to “get the Senate to do something and go to conference and hopefully, resolve” the remaining tensions.