The House Permanent Select Committee on Intelligence approved an amended version of the Cyber Intelligence Sharing and Protection Act Wednesday afternoon, 18-2, following a closed-door markup.
The bill, sponsored by Committee Chairman Mike Rogers (R-Mich.) and ranking member Dutch Ruppersberger (D-Md.), has ignited privacy concerns even as a spate of high-profile hackings in recent months has raised public awareness of gaping holes in the nation’s cybersecurity.
CISPA, Rogers said “is the one bill, out of everything you’ve seen… that protects a free and open internet and allows people to share cyber threat information to protect their clients, their business, their personally identifying information.”
The legislation would make it easier for the government and the private sector to share threat information to address cyber attacks collaboratively and in real time. Crucially, the bill offers broad legal immunity to businesses sharing threat information with each other and the government. The business community argues that liability and anti-trust protections are necessary to ensure businesses start sharing information (the lack of immunity is a key criticism of President Barack Obama’s Feb.12 cyber executive order).
Critics have alleged that the bill protects big business at the expense of consumers. A failed amendment from Rep. Jan Schakowsky (D-Ill.) would have limited the legal immunity for businesses, enabling consumers to take legal action against a company.
Schakowsky and fellow committee member Adam Schiff (D-Calif.) told reporters after the markup that all of their civil-liberties-oriented amendments were voted down during the markup, with each of the four amendments between them getting between two and four votes.
Schiff introduced an amendment that would have required companies to strip personally identifying data from any information they were passing on to the government. The committee passed a separate amendment, offered by Rep. Jim Himes (D-Conn.) and supported by Rogers and Ruppersberger, that would require government to minimize such data once it received the information.
The co-sponsors explained that putting the onus of data minimization on government makes it easier for businesses to choose to share information with the government.
“You need businesses to voluntarily cooperate with the government,” Rogers said. “We don’t want to put a burden on you that opens you up to a whole new set of lawsuits.”
Another amendment from Schakowsky would have required that companies report threats to civilian agencies. As drafted, Schiff told reporters, a company could “basically pick” which agency it wanted to give information to.
Privacy and civi-liberties advocates have long voiced concerns about personal information flowing directly to military organizations like the National Security Agency. Existing privacy laws prevent personal information going to the NSA because the inherently secretive organization is subject to little oversight.
Rogers rebuffed those concerns Wednesday, noting that domestic monitoring is not permitted under the bill.
“This is not a surveillance program,” Rogers said, “at all.”
Rogers has repeatedly insisted that the National Security Agency must be able to participate in the information sharing program since it collects intelligence abroad and could warn companies of threats from state actors like Iran.
Still, in a bid to quell concerns about the bill enabling broad government surveillance of individuals, Rogers and Ruppersberger had said before the markup that they would support striking a provision that would have allowed government to use shared cybersecurity information for vague “national security purposes.” The co-sponsors preemptively supported a handful of amendments that passed Wednesday.
An amendment introduced by Rep. Jim Langevin (D-R.I.) that would prohibit businesses from going on offense against hackers — or “hacking back” — also passed the committee; so did an amendment limiting information sharing between companies to cybersecurity purposes.
Rogers said he and Ruppersberger wanted to “make it really clear that [businesses] can’t use this for marketing…[or] any other purpose than to close the gap” in cybersecurity.
Schiff and Schakowsky both said they remain concerned by the bill’s treatment of individuals’ privacy and of companies’ responsibilities. Schakowsky was the lone dissenting vote on the committee when it approved a previous iteration of CISPA last spring; that bill went on to pass the House but was dead on arrival in the Senate, thanks in part to a veto threat from the White House.
Rogers routinely dismisses questions about the possibility of another veto threat, saying that talks with the White House — which objected on privacy grounds last spring — are going much better this year.
Ruppersberger suggested Wednesday that the increase in both volume and severity of cyber threats over the last year makes passage of a bill more likely. Both he and Rogers expressed confidence that some version of CISPA will pass the Senate.
“We feel we have to do more now,” Ruppersberger said, “because we don’t want another 9/11.”
The bill will come to the House floor by the end of the month, Rogers said. Schiff said he would offer his amendment to the Rules Committee.