Is Compromise in Offing for CISPA?

Sponsors See Hopeful Signs Emanating from the White House

By Eric Chabrow, February 13, 2013. Follow Eric @GovInfoSecurity

Credit Eligible

• 
• 
• 

Compromise - a rare word heard between Capitol Hill and 1600 Pennsylvania Avenue - is being bantered about as the first major cybersecurity bill of the new Congress is introduced.

The chairman and ranking member of the House Permanent Select Committee on Intelligence, Republican Mike Rogers of Michigan and Democrat C.A. "Dutch" Ruppersberger of Maryland, resurrected on Feb. 13 the cyberthreat information sharing measure known as CISPA, for Cyber Intelligence and Sharing Protection Act, a bill that President Obama threatened to veto last year, but the sponsors believe can gain White House support this time around.

Ruppersberger, speaking with Rogers at the Center for Strategic and International Studies on Wednesday, said the lawmakers spoke earlier in the day with White House National Security Adviser Tom Donilon, who they said promised administration cooperation in finalizing legislation that encourages network operators and critical infrastructure operators to share cyberthreat information with the government.

Willingness to Collaborate

"We had some issues with the White House the last time," Ruppersberger said. "We don't still agree with everything in the bill. They don't agree with what we do, and vice versa. But what we do agree is that we will work together, our staff and their staff. We had commitment again today from the White House that they would work with us because they know how serious [this issue is]."

Indeed, President Obama in his State of the Union address on Feb. 12 called for Congress to enact cybersecurity legislation to expand the cyberthreat information sharing provisions in an executive order he issued earlier in the day [see Obama Issues Cybersecurity Executive Order].

"Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks," the president said in his speech. "This is something we should get done on a bipartisan basis."

The White House has not commented specifically on the revived CISPA. In a veto threat issued last year, the administration said CISPA would allow broad sharing of information with governmental entities without establishing requirements for industry and the government to minimize and protect personally identifiable information [See Obama Threatens to Veto Cybersecurity Bill].

A White House spokeswoman on Wednesday said the administration will not take a stand on the new version of CISPA until it's ready for a vote, noting the White House does not want to prejudge the legislative process. "Our belief continues to be that information sharing improvements are essential to effective legislation, but they must include proper privacy and civil liberties protections, reinforce the appropriate roles of civilian and intelligence agencies and include targeted liability protections," spokeswoman Caitlin Hayden said.

Civil Libertarians See Flaws in CISPA

Still, oppositions from privacy and civil liberties groups haven't budged since last April, when the House of Representatives approved CISPA; it never got out of committee in the Senate.

Leslie Harris, president of the Center for Democracy and Technology, said in a statement that CISPA remains fundamentally flawed in two ways: "It allows private Internet communications and information of American citizens to go directly to the NSA, a military intelligence agency that operates secretly with little public accountability. Once that private information is in the hands of the military, it can be used for purposes completely unrelated to cybersecurity."

American Civil Liberties Union Legislative Counsel Michelle Richardson said CISPA fails to require companies to make reasonable efforts to protect their customers' privacy. "And then," Richardson said, "[CISPA] allows the government to use that data for undefined 'national-security' purposes and without any minimization procedures, which have been in effect in other security statutes for decades."

The bill's sponsors contend that the information being shared isn't content, but malicious code that can plant spyware in corporate computers to pilfer trade secrets or cause other types of havoc. "The bill does not authorize the government to monitor your computer, to read your e-mail, Tweets or Facebook posts," Ruppersberger said. "That is clear."

• 1
• 2

Follow Eric Chabrow on Twitter: @GovInfoSecurity