The House capped off its “Cyber Week” on Thursday by passing flagship systems security legislation intended to protect the nation’s critical infrastructure from hacking attacks.
The Cyber Information Sharing and Protection Act was approved on a bipartisan vote, 288-127, following more than a day of debate over the bill’s privacy protections.
A key issue standing between CISPA and President Barack Obama’s signature is who should bear responsibility for removing any personally identifying details from threat information before it is shared between business and government.
As the bill stands, the government is charged with filtering out such data when it receives threat information from businesses. Democrats want the onus to be on businesses, arguing that allowing personal data to get to the government in the first place would be a violation of individuals’ privacy. The Republican-led House Rules Committee had earlier blocked consideration of amendments proposing to put the responsibility on the private sector.
Privacy and civil liberties advocates also worry that consumers’ information could flow to military and CIA-support agencies like the National Security Agency, which is subject to far less oversight than civilian agencies.
The White House on Tuesday threatened to veto CISPA, much as it did last April when an earlier iteration of the bill passed the House but was dead on arrival in the Senate. The veto threat said that the information should go directly to the Department of Homeland Security; that legal immunity in the bill for businesses sharing threat information is too broad; and that companies should remove personal information from shared data.
But more than two thirds of members voted for passage Thursday, enough to override a veto. Ninety-two Democrats joined Republicans to vote for the bill, while 29 Republicans defected. Only 42 Democrats voted for the 2012 bill.
In an attempt to soothe surveillance concerns, members adopted an 11th-hour amendment offered by Homeland Security Committee Chairman Mike McCaul (R-Texas) that would make most information go through Homeland Security or the Department of Justice rather than a military agency. Information can still go to the military, but most will have to pass through civilian agencies first. The amendment passed on a 409-5 vote.
Just prior to the final CISPA vote Thursday, House Minority Leader Nancy Pelosi (D-Calif.) couched her own no-vote in heavy praise for the bill’s co-sponsors, House Intelligence Committee Chairman Mike Rogers (R-Mich) and ranking member Dutch Ruppersberger (D-Md.), saying their bill had moved debate in the right direction.
But, she said, she would vote no because the bill does not adequately address “critical infrastructure” and because she was “disappointed” the bill didn’t do more to address the White House’s privacy concerns.
“We are saying, minimize what is relevant to our national security,” Pelosi said of requiring businesses to remove personal information. “The rest is none of the government’s business.”
Defenders of the bill say business will be less likely to voluntarily share threat information if faced with new rules — and potential liabilities — on sensitive private data, and corporate lawyers say company executives are generally leery of handling such information.
An amendment from Rep. Joe Barton (R-Texas), which passed on a voice vote Wednesday, clarified that companies cannot share information in order to target individuals for marketing; a similar managers’ amendment confining sharing to cybersecurity purposes had already been adopted.
Rogers repeatedly described the bill in terms of protecting against foreign threats — repeatedly invoking hackers from Russia, Iran, North Korea and China, — in an appeal to centrists weighing privacy worries against national-security concerns.
“If you want to take a shot across China’s bow, this is the answer!” he said Thursday, to cheers from the members on the floor. He warned his colleagues, “This is as serious an issue as we are not prepared to handle as Americans.”
The Senate last year did not consider CISPA, instead introducing its own bill, which failed twice. It’s unclear whether the body will take up the bill this year, but the level of Democratic support and heightened public awareness of cybersecurity could carry it forward.
Cyber Week also involved unanimous passage of a bill reforming the Federal Information Security Amendments Act on Tuesday. The bill, sponsored by House Oversight and Government Affairs Committee Chairman Darrell Issa (R-Calif.), moves oversight of federal agencies’ information security practices back to the Office of Management and Budget; Homeland Security had taken over most of those duties in 2010. The bill, which reforms the 2002 Federal Information Security Management Act, will require agencies to conduct regular cyber threat assessments.
The House also passed two cybersecurity research and development bills Tuesday. The Cybersecurity Enhancement Act calls for more research at the National Science Foundation and the National Institute of Standards and Technology and would require agencies to budget for cybersecurity R&D. It passed with more than 400 votes, as did a bill coordinating federal government cybersecurity R&D, the Advancing America’s Networking and Information Technology Research and Development Act.