IDG News Service – The U.S. House of Representatives has voted to approve a controversial cyberthreat information-sharing bill, despite opposition from the White House and several privacy and digital rights groups.
The House on Thursday voted 288-127 to approve the Cyber Intelligence Sharing and Protection Act (CISPA), a bill that would allow U.S. intelligence agencies to share cyberthreat information with private companies. It would also shield private companies that voluntarily share cyberthreat information with each other and with government agencies from privacy lawsuits brought by customers.
[ BACKGROUND: Reddit co-founder calls out Google, Twitter, Facebook over CISPA ]
The bill would still need to be passed by the U.S. Senate before heading to President Barack Obama for his signature. The Senate declined to act on another version of CISPA during the last session of Congress, and earlier this week, Obama’s advisors threatened a veto, although that was before the House approved a handful of amendments intended to address privacy concerns.
CISPA would allow private companies to share a broad range of customer data with each other and with government agencies, privacy groups have complained.
Supporters, however, argued the legislation is needed to encourage better information sharing about active cyberattacks, resulting in better defense of U.S. networks. Federal law now prohibits intelligence agencies from sharing classified cyberthreat information with private companies.
The bill will help protect the U.S. against cyberattacks from China, Iran and other countries, supporters said. Cyberespionage has cost the U.S. tens of thousands of jobs, as foreign companies steal the blueprints of U.S. products, said Representative Mike Rogers, a Michigan Republican and primary sponsor of CISPA.
“If you want to take a shot across China’s bow, this is the answer,” he said to applause on the House floor.
The bill correctly balances privacy concerns with the need for security, added Representative Dan Maffei, a New York Democrat. Rogue nations and “even independent groups like WikiLeaks” are taking aggressive measures to attack the U.S. power grid, air-traffic control systems and customer financial data, he said.
“Every day, international agents, terrorists and criminal organizations attack the public and private networks of the United States,” he said. “While I do always have some concern that the U.S. government may access our private information in the cyber sphere, I am more concerned that the Chinese government will access our private information.”
The House on Thursday voted for a handful of amendments to the bill intended to improve privacy protections in the bill. Lawmakers approved an amendment designating the U.S. Department of Homeland Security and U.S. Department of Justice as the primary repositories of cybertheat information shared by private companies, addressing a concern by several privacy groups that CISPA would give the U.S. National Security Agency unfettered access to customer data.
We’ve written extensively about CISPA over the last year, but since the House Permanent Select Committee on Intelligence is set to mark the bill up next week, and the full House to vote on it the week after that, we’re posting in more depth about its shortcomings. Information sharing isn’t offensive per se; it’s really a question of what can be shared, with whom, and what corporations and government agencies can do with it. First up:
What information does CISPA allow companies to share?
The short answer: any information that “pertains” to cybersecurity, broadly defined to include vulnerabilities, threat information, efforts to degrade systems, attempts at unauthorized access, and more. You can see the full list on page 20 of the bill. You’ll see that it’s not tied to the criminal definition of hacking but instead forges new ground.
The bill sponsors will tell you that CISPA is only about the “ones and zeroes,” but it certainly isn’t drafted that way. There’s nothing limiting CISPA in that manner and personally identifiable information (PII) could be shared right along with some inconsequential code that doesn’t impact privacy at all. So, if your communications or records are somehow caught up in a cybersecurity data dump, they might possibly include information that identifies the real-world you, even if that information is not necessary to combat a cyber threat. Under CISPA, you’ll just have to trust that the corporations holding your very personal information do what’s best. Good luck with that.
- Lawmakers Defend Controversial CISPA Bill (tomshardware.com)
- CISPA is back: worst Internet law since SOPA needs you to fight it! (boingboing.net)
- Privacy Group Calls for Changes in CISPA Cyberthreat Sharing Bill (cio.com)
- CISPA voting session slated for this week (zdnet.com)
- CISPA Debate Will Happen Behind Closed Doors (leaksource.wordpress.com)
- CISPA Is Looking Better, But Privacy Proponents Still Aren’t Satisfied (webpronews.com)
- Lawmakers, business execs defend privacy in CISPA (cio.com)
- Intelligence Officials See Cyberattacks As a Top US Threat (cio.com)
- Stephen Lendman – CISPA Is Back (prn.fm)
- The internet says no to CISPA, but will Congress? (constitutioncampaign.org)