CISPA Passes House: What's Next? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Healthcare // Analytics

CISPA Passes House: What's Next?

Cybersecurity information-sharing bill moves to the Senate, but civil liberty groups vow to continue fighting it tooth and nail.

Top 10 Open Government Websites
Top 10 Open Government Websites
(click image for larger view and for slideshow)
The House of Representatives Thursday voted to advance the Cyber Intelligence Sharing and Protection Act (CISPA).

The 236-185 vote means that the full House can vote on CISPA, which may happen as early as Friday. The bill, written by Mike Rogers (R-Mich.) and C. A. Dutch Ruppersberger (D-Md.), was designed to allow U.S. intelligence agencies to share threat data with the private sector.

The approval of the rules vote happened despite the Obama administration's promise on Wednesday to veto CISPA. In a statement, the White House said that the bill "fails to provide authorities to ensure that the Nation's core critical infrastructure is protected." In particular, the White House and Democrats are especially concerned that the businesses responsible for protecting the critical infrastructure wouldn't be held accountable for their actual security practices. They've likewise warned--in the words of a statement issued by the White House--that the bill could "undermine the public's trust in the government as well as in the Internet by undermining fundamental privacy, confidentiality, civil liberties, and consumer protections."

"This bill in its current form ... is an unprecedented, sweeping piece of legislation that would waive every single privacy law ever enacted in the name of cybersecurity," said Rep. Jared Polis (D-Colo.).

[ For more background on CISPA's path to the Senate, see Is CISPA Worth Saving? ]

But Republicans countered that CISPA had been designed to include privacy safeguards for any data that businesses share with the government. "It significantly limits the federal government's use of that information that the private companies voluntarily provide, including the government's authority to search data," said Rep. Rich Nugent (R-Fla.).

A bipartisan Senate bill that's under development, however, would require businesses in the critical infrastructure to comply with new Department of Homeland Security regulations.

Several last-minute revisions by Rogers, the bill's primary author, were meant to make the bill more palatable to critics. But some changes appeared to be little more than window dressing. For example, one section of the bill indemnified businesses who failed to act on any security intelligence they received. "If a company learns about a security flaw, fails to fix it, and users' information is misused or stolen, companies cannot be held liable as long as the company acted 'in good faith' according to CISPA," said Rainey Reitman, activism director at the Electronic Frontier Foundation (EFF), in a blog post.

How did Rogers address that criticism? In a section on how businesses would be indemnified, Reitman said, "He changed the phrase 'for using cybersecurity systems or sharing information in accordance with this section' to 'for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information.' Basically, he didn't fix it at all."

Meanwhile, moments before the vote on the bill, Rogers accused groups that opposed CISPA of "obfuscation," reported Wired. "Stand up for America. Support this bill," he said to the House.

With CISPA set to move to the Senate for consideration, civil liberties groups have vowed to continue trying to take it down. "Hundreds of thousands of Internet users spoke out against this bill, and their numbers will only grow as we move this debate to the Senate," said Reitman in a statement. "We will not stand idly by as the basic freedoms to read and speak online without the shadow of government surveillance are endangered by such overbroad legislative proposals."

The Center for Democracy and Technology (CDT) likewise released a statement condemning the passage of CISPA "in such flawed form and under such a flawed process." While the online civil liberties group applauded the Intelligence Committee's work, which led to more precise definitions and scope surrounding which types of information could be shared, it said that significant privacy concerns remained.

"We are also disappointed that House leadership chose to block amendments on two core issues we had long identified: the flow of information from the private sector directly to NSA and the use of that information for national security purposes unrelated to cybersecurity," said CDT spokesman Brock Meeks. "We intend to press these issues when the Senate takes up its cybersecurity legislation."

Monday, a group of more than 60 leading security experts and engineers released a letter calling for an end to CISPA and other overly broad cybersecurity bills. "The bills nullify current legal protections against wiretapping and similar civil liberties violations for that kind of broad data sharing. By encouraging the transfer of users' private communications to U.S. federal agencies, and lacking good public accountability or transparency, these 'cybersecurity' bills unnecessarily trade our civil liberties for the promise of improved network security," read the letter, which was signed by Bruce Schneier, chief security technology officer of BT, technologist Dan Gillmor, and privacy expert Christopher Soghoian, among others.

In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Strategist
4/28/2012 | 11:44:23 PM
re: CISPA Passes House: What's Next?
The portion referenced in the article attributed to EFF does not make it clear if that is the current wording or the modified. I would say that any company where prior knowledge of a security flaw that went unresolved and was material to the loss of personal data should be held liable. I do not understand how any company could use a good faith defense (faith that they chose the risk of not having an incident as acceptable).

The amount of information they are holding is frightening. I called my bank recently to make an inquiry. Before proceeding, I was asked to identify from the five cities that they would list which one had some relationship to my "family." Naturally, I expected a personal list. My surprise when the only one identifiable was the Georgia residence (population 500) of a brother's short term, second wife divorced at least ten years prior (my families origins are on the other side of the US). Thank goodness I remembered but I was equally certain to have never listed it on any of my personal history forms. How and what kind of family history are banks assembling, storing, and what is reasonable retention? If this kind of detail was obtained through a cyber break in, it is clear how easily identity theft could be effected. I am far more concerned on the commercial institutions use and security of my personal data than that of the government's.
User Rank: Apprentice
4/28/2012 | 3:27:58 PM
re: CISPA Passes House: What's Next?
@readers - do you agree with the EFF that the language should be stronger when it comes to the liability of businesses?
Brian Prince, InformationWeek/Dark Reading Comment Moderator
How to Create a Successful AI Program
Jessica Davis, Senior Editor, Enterprise Apps,  10/14/2020
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll