House passes cybersecurity bill despite veto threat over privacy protections

The cybersecurity bill seeks to protect the nation from cyberattack, but concerns over how personal information is shared with the government and corporations has sparked opposition and a veto threat from the Obama administration.

|
Carolyn Kaster/AP/File
The US Capitol building in Washington is pictured in this November 2011 file photo. The House passed a new cybersecurity bill late Thursday.

Among the few things that members of Congress seem to agree on this election year is the need for new cybersecurity legislation to protect the nation from cyberattack. But there's wide disagreement about how to reach that common goal, and privacy protections are at the core of the dispute.

New cybersecurity legislation that passed by a vote of 248 to 168 late Thursday in the House of Representatives permits Internet service providers (ISPs) to share information back and forth with US government agencies in order to identify and defeat cyberattacks.

But amid concerns the bill does not sufficiently protect individuals’ privacy, the legislation ran into a significant pushback at midweek that portends further wrenching adjustments before a final bill can emerge.

Despite passage, the new Cyber Intelligence Sharing and Protection Act (CISPA) lost steam and apparently a number of votes when on Wednesday the White House threatened a veto – and the Center for Democracy and Technology, a key privacy rights group, announced its opposition as well.

Proponents denounced the threatened veto.

"The White House believes the government ought to control the Internet, government ought to set standards, and government ought to take care of everything that's needed for cybersecurity," House Speaker John Boehner told reporters at his weekly news conference. "They're in a camp all by themselves."

The bill now goes, somewhat weakened, into a conference committee, there to be meshed with a new Senate cybersecurity bill, which is expected to be voted on next month. A final bill for the president to sign – or veto –  could possibly emerge from Congress sometime this summer, several legislative watchers say.

Core functions of CISPA are supposed to help drain the Internet of malicious cyberthreats now sluicing through it via telecom pipelines controlled by Internet backbone firms like Verizon and AT&T.

Under CISPA, the Internet providers and other private companies would:

  • Receive classified digital signatures and other data from the US government agencies, including intelligence agencies like the National Security Agency, to help identify malicious Internet traffic.
  • Give private Internet providers and others the right to defend their own networks and their corporate customers – and share cyberthreat information with others in the private sector and with the federal government on a voluntary basis.
  • Encourage, but not require, private companies to “anonymize” information that they voluntarily share with government and nongovernment entities.
  • Grant to Internet providers immunity from privacy lawsuits in which customer information was voluntarily disclosed as a possible security threat.
  • Grant Internet companies antitrust protection that immunizes them against allegations of colluding on cybersecurity issues.
  • Require an independent audit of information shared with the government.

Such provisions, though, were either troubling or insufficient to the White House and privacy groups. While the idea of broader information sharing is generally accepted as a requirement for any cybersecurity bill, CISPA provisions and the new amendments do not go nearly far enough to protect Americans privacy, its opponents say.

“Cybersecurity and privacy are not mutually exclusive,” the White House said in its policy statement that announced the veto threat Wednesday. "The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes."

Citizens have "a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately," the White House added. "The government, rather than establishing a new antitrust exemption under this bill, should ensure that information is not shared for anti-competitive purposes."

Privacy advocates joined in hammering CISPA for making data handed over to the government exempt from the Freedom of Information Act for reasons of "national security."

"With this bill you're talking about granting access to everyday Americans' Internet access records – because this bill doesn't lay out the type of information records that can be shared," says Michelle Richardson, staff attorney for the American Civil Liberties Union. "So it's going to be their Internet use history, their search terms, records of your e-mail that are going to the government."

It's not so much the flow of information from government to private industry, but the flow from industry to government that most worries these privacy advocates.

"This bill creates a cybersecurity loophole in all existing privacy laws," says Trevor Timm, a spokesman for the Electronic Frontier Foundation, an Internet privacy rights group. "Right now we have longstanding laws – the Wiretap Act and the Electronic Communications Privacy Act that have been on books for decades – saying government needs probable cause or a judicial warrant if they want to read your e-mails. This bill would allow companies to read your e-mails as long as there was some vague cybersecurity purpose – and hand them to government with no judicial review."

Another group, the Center for Democracy and Technology, worked closely with CISPA co-author Mike Rogers on amendment language – and indicated it might not oppose the bill – if amendments the group favored made it to the House floor for a vote.

But on Wednesday those amendments restricting the flow of information to the NSA – and government authority to use information for noncybersecurity purposes – were shot down even before being voted on. So the group pulled its support.

To CISPA advocates, however, the wrangle over just how and what kind of data could flow to government – and how it could or could not be used – was too much.

"The information they [companies and government are sharing] is information being used to break into our nation's networks," says Stewart Baker, a former NSA and Department of Homeland Security official now with the Washington firm of Steptoe and Johnson.

"The question really is: What can you do with that information after it's shared? To say you can use it for cybersecurity, but not national security – that's nuts! Are we willing to sacrifice national security and not protect the country?"

Others, however, say there's no need to sacrifice the nation – or lose privacy.

"There's a way for Congress to craft a very narrow information sharing program that still respects privacy," the ACLU’s Ms. Richardson says. "But this bill isn't it."

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to House passes cybersecurity bill despite veto threat over privacy protections
Read this article in
https://www.csmonitor.com/USA/Politics/2012/0426/House-passes-cybersecurity-bill-despite-veto-threat-over-privacy-protections
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe