New cybersecurity bill: Privacy threat or crucial band-aid?

The cybersecurity bill was a flash point for privacy advocates a year ago. Now, changes have been made to the bill, which was the focus of a closed hearing Wednesday by the House Intelligence Committee.

Cyberthreat information sharing between private industry and government is getting a fresh look in Congress, even as civil-liberties groups cry foul over what they say are onerous provisions in a bill that runs roughshod over citizen privacy.

If that seems like déjà vu all over again, it’s because it is: The Cyber Intelligence Sharing and Protection Act (CISPA) was a flash point for privacy advocates a year ago, and now, it’s the focus of a closed hearing Wednesday by the House Permanent Select Committee on Intelligence.

The idea of cybersecurity legislation winning fresh attention isn’t too surprising given the drumbeat of cyber-insecurity in past months – reports of Chinese cyberspying on US companies, bank websites under attack, news organizations’ computers infiltrated. Key government officials have even declared the United States vulnerable to a Pearl Harbor-type cyberattack.

In response, the White House has ramped up cyberdiscussions with Russia and China, challenged China on cyberspying, and issued an executive order to boost the network protection for critical infrastructure.

Congress, meanwhile, has done – well, not too much really.

Feeling the heat, Reps. Mike Rogers (R) of Michigan and C.A. “Dutch” Ruppersberger (D) of Maryland, the chairman and ranking member of the House Intelligence Committee, this month outlined changes to CISPA – reportedly including up to five amendments intended to address privacy concerns and help its chances of winning Senate and White House approval.

The earlier version of CISPA, which did not include those amendments, passed the House last spring, but was opposed by the White House and did not advance in the Senate.

“This is clearly not a theoretical threat – the recent spike in advanced cyber attacks against the banks and newspapers makes that crystal clear,” Representative Rogers said in a statement. “American businesses are under siege. We need to provide American companies the information they need to better protect their networks from these dangerous cyber threats. It is time to stop admiring this problem and deal with it immediately.”

In a Sunday opinion piece in The Hill, the bill’s co-authors cited cybertheft of pesticide formulas, manufacturing blueprints, software, and chemical formulas – as well as the intellectual property of one US manufacturer that spent $1 billion and 10 years on research and development for a new product. That research was stolen “in a matter of minutes,” the co-authors said.

“The Chinese even attempted to steal the secret recipe for Coca-Cola,” Rogers and Representative Ruppersberger wrote in the opinion piece. “Extrapolate that out to the entire American economy and you have a major threat to our ability to compete in the world.”

The two congressmen say that to protect the US economy “and our way of life,” their “narrow legislation” would permit government agencies to share classified threat intelligence and other cyberthreat information with private companies. Conversely, private companies could share cyberthreat data with the government – and be granted legal immunity from lawsuits. It would, Rogers and Ruppersberger write in The Hill, “break down legal barriers written into law decades before the Internet age so the government can help protect private sector networks, which comprise a vast majority of the infrastructure.”

Expected amendments are reported to:

• Include language that would deny companies legal protection if they use cyberthreat information to hack one another’s networks.

• Drop language that would allow government agencies to also use cyberthreat information for national-security purposes.

• Require federal privacy and civil-liberties officers to review how information is shared and used.

But it’s far from clear such measures will be enough to win the needed support. In past statements on the subject, the White House has said that information-sharing legislation must include privacy and civil-liberties protections, reinforce separate roles for civilian and intelligence agencies, and delineate limited (as opposed to blanket) liability protections. The White House also wants companies to be required to minimize the sharing of information that would identify individuals, the Hill has reported.

This version of CISPA could still fall short for privacy advocates. Amendments outlined prior to the closed hearings did not put a civilian agency – such as the Department of Homeland Security – in charge of information sharing. (No formal arrangement has been declared.) Nor did they require companies to strip out personal information from the cyberthreat data before transmission to the government.

“We have seen the language of these amendments – and what we’ve been hearing is that they still don’t tackle the core concerns including tailoring so that information that’s shared by private industry can’t be used for purposes other than cybersecurity,” says Mark Jaycox, a policy analyst with the Electronic Frontier Foundation, a San Francisco Internet privacy group.

Legal language requiring that personal information be stripped out of data before transmission to the government is not yet among the amendments, Mr. Jaycox says. That cleansing of personal data could be done with high-speed technology that wouldn’t hinder the sharing process, he notes.

Michelle Richardson, legislative counsel for the American Civil Liberties Union, argues in a blog that this version of CISPA still “goes beyond mere sharing and allows companies to conduct even more surveillance of records and communications in the search for cyber threats.” She continues, “CISPA gives companies complete immunity for ‘decisions made’ based on information discovered through these new monitoring activities or through information shared under CISPA.”

She adds, “CISPA doesn't just grant immunity for broad information-sharing, it grants immunity for literally anything companies choose to do in response to the information gleaned from its CISPA powers.”

Others, however, say such privacy worries are overwrought.

“CISPA is a good bill, and the privacy concerns are mostly baloney,” Stewart Baker, a former senior official at DHS and the National Security Agency, writes in an e-mail. “In fact the so-called privacy advocates are condemning Americans to massive permanent privacy intrusions by authoritarian governments because of the advocates' myopic fixation on the imagined threat from NSA.”

Besides CISPA, several narrower bills will get attention this month as well. One bill, sponsored by Rep. Michael McCaul (R) of Texas and Rep. Daniel Lipinski (D) of Illinois, would boost research and development to confront cyberthreats. Another would toughen penalties for cybercrimes.

Conspicuously missing, at least so far, is any legislation to directly address improved cybersecurity for critical infrastructure such as the US power grid. A bill to do that was proposed last year by Sen. Susan Collins (R) of Maine and former Sen. Joseph Lieberman (I) of Connecticut, and it was supported by the White House. But it was opposed by Sen. John McCain (R) of Arizona and the US Chamber of Commerce – and it, too, was shot down last year.

Wednesday’s closed hearing is expected to include statements, with votes on amendments coming Thursday.