House passes cybersecurity bill despite veto threat over privacy protections

Among the few things that members of Congress seem to agree on this election year is the need for new cybersecurity legislation to protect the nation from cyberattack. But there's wide disagreement about how to reach that common goal, and privacy protections are at the core of the dispute.

New cybersecurity legislation that passed by a vote of 248 to 168 late Thursday in the House of Representatives permits Internet service providers (ISPs) to share information back and forth with US government agencies in order to identify and defeat cyberattacks.

But amid concerns the bill does not sufficiently protect individuals’ privacy, the legislation ran into a significant pushback at midweek that portends further wrenching adjustments before a final bill can emerge.

Despite passage, the new Cyber Intelligence Sharing and Protection Act (CISPA) lost steam and apparently a number of votes when on Wednesday the White House threatened a veto – and the Center for Democracy and Technology, a key privacy rights group, announced its opposition as well.

Proponents denounced the threatened veto.

"The White House believes the government ought to control the Internet, government ought to set standards, and government ought to take care of everything that's needed for cybersecurity," House Speaker John Boehner told reporters at his weekly news conference. "They're in a camp all by themselves."

The bill now goes, somewhat weakened, into a conference committee, there to be meshed with a new Senate cybersecurity bill, which is expected to be voted on next month. A final bill for the president to sign – or veto –  could possibly emerge from Congress sometime this summer, several legislative watchers say.

Core functions of CISPA are supposed to help drain the Internet of malicious cyberthreats now sluicing through it via telecom pipelines controlled by Internet backbone firms like Verizon and AT&T.

Under CISPA, the Internet providers and other private companies would:

• Receive classified digital signatures and other data from the US government agencies, including intelligence agencies like the National Security Agency, to help identify malicious Internet traffic.

• Give private Internet providers and others the right to defend their own networks and their corporate customers – and share cyberthreat information with others in the private sector and with the federal government on a voluntary basis.

• Encourage, but not require, private companies to “anonymize” information that they voluntarily share with government and nongovernment entities.

• Grant to Internet providers immunity from privacy lawsuits in which customer information was voluntarily disclosed as a possible security threat.

• Grant Internet companies antitrust protection that immunizes them against allegations of colluding on cybersecurity issues.

• Require an independent audit of information shared with the government.

Such provisions, though, were either troubling or insufficient to the White House and privacy groups. While the idea of broader information sharing is generally accepted as a requirement for any cybersecurity bill, CISPA provisions and the new amendments do not go nearly far enough to protect Americans privacy, its opponents say.

“Cybersecurity and privacy are not mutually exclusive,” the White House said in its policy statement that announced the veto threat Wednesday. "The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes."

1 | 2

Next