Among the few things that members of Congress seem to agree on this election year is the need for new cybersecurity legislation to protect the nation from cyberattack. But there's wide disagreement about how to reach that common goal, and privacy protections are at the core of the dispute.
New cybersecurity legislation that passed by a vote of 248 to 168 late Thursday in the House of Representatives permits Internet service providers (ISPs) to share information back and forth with US government agencies in order to identify and defeat cyberattacks.
But amid concerns the bill does not sufficiently protect individuals’ privacy, the legislation ran into a significant pushback at midweek that portends further wrenching adjustments before a final bill can emerge.
Despite passage, the new Cyber Intelligence Sharing and Protection Act (CISPA) lost steam and apparently a number of votes when on Wednesday the White House threatened a veto – and the Center for Democracy and Technology, a key privacy rights group, announced its opposition as well.
Proponents denounced the threatened veto.
"The White House believes the government ought to control the Internet, government ought to set standards, and government ought to take care of everything that's needed for cybersecurity," House Speaker John Boehner told reporters at his weekly news conference. "They're in a camp all by themselves."
The bill now goes, somewhat weakened, into a conference committee, there to be meshed with a new Senate cybersecurity bill, which is expected to be voted on next month. A final bill for the president to sign – or veto – could possibly emerge from Congress sometime this summer, several legislative watchers say.
Under CISPA, the Internet providers and other private companies would:
- Receive classified digital signatures and other data from the US government agencies, including intelligence agencies like the National Security Agency, to help identify malicious Internet traffic.
- Give private Internet providers and others the right to defend their own networks and their corporate customers – and share cyberthreat information with others in the private sector and with the federal government on a voluntary basis.
- Encourage, but not require, private companies to “anonymize” information that they voluntarily share with government and nongovernment entities.
- Grant to Internet providers immunity from privacy lawsuits in which customer information was voluntarily disclosed as a possible security threat.
- Grant Internet companies antitrust protection that immunizes them against allegations of colluding on cybersecurity issues.
- Require an independent audit of information shared with the government.
Such provisions, though, were either troubling or insufficient to the White House and privacy groups. While the idea of broader information sharing is generally accepted as a requirement for any cybersecurity bill, CISPA provisions and the new amendments do not go nearly far enough to protect Americans privacy, its opponents say.
“Cybersecurity and privacy are not mutually exclusive,” the White House said in its policy statement that announced the veto threat Wednesday. "The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes."
Citizens have "a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately," the White House added. "The government, rather than establishing a new antitrust exemption under this bill, should ensure that information is not shared for anti-competitive purposes."
Privacy advocates joined in hammering CISPA for making data handed over to the government exempt from the Freedom of Information Act for reasons of "national security."
"With this bill you're talking about granting access to everyday Americans' Internet access records – because this bill doesn't lay out the type of information records that can be shared," says Michelle Richardson, staff attorney for the American Civil Liberties Union. "So it's going to be their Internet use history, their search terms, records of your e-mail that are going to the government."
It's not so much the flow of information from government to private industry, but the flow from industry to government that most worries these privacy advocates.
"This bill creates a cybersecurity loophole in all existing privacy laws," says Trevor Timm, a spokesman for the Electronic Frontier Foundation, an Internet privacy rights group. "Right now we have longstanding laws – the Wiretap Act and the Electronic Communications Privacy Act that have been on books for decades – saying government needs probable cause or a judicial warrant if they want to read your e-mails. This bill would allow companies to read your e-mails as long as there was some vague cybersecurity purpose – and hand them to government with no judicial review."
Another group, the Center for Democracy and Technology, worked closely with CISPA co-author Mike Rogers on amendment language – and indicated it might not oppose the bill – if amendments the group favored made it to the House floor for a vote.
But on Wednesday those amendments restricting the flow of information to the NSA – and government authority to use information for noncybersecurity purposes – were shot down even before being voted on. So the group pulled its support.
To CISPA advocates, however, the wrangle over just how and what kind of data could flow to government – and how it could or could not be used – was too much.
"The information they [companies and government are sharing] is information being used to break into our nation's networks," says Stewart Baker, a former NSA and Department of Homeland Security official now with the Washington firm of Steptoe and Johnson.
"The question really is: What can you do with that information after it's shared? To say you can use it for cybersecurity, but not national security – that's nuts! Are we willing to sacrifice national security and not protect the country?"
Others, however, say there's no need to sacrifice the nation – or lose privacy.
"There's a way for Congress to craft a very narrow information sharing program that still respects privacy," the ACLU’s Ms. Richardson says. "But this bill isn't it."