Is Compromise in Offing for CISPA?Sponsors See Hopeful Signs Emanating from the White House
Compromise - a rare word heard between Capitol Hill and 1600 Pennsylvania Avenue - is being bantered about as the first major cybersecurity bill of the new Congress is introduced.
The chairman and ranking member of the House Permanent Select Committee on Intelligence, Republican Mike Rogers of Michigan and Democrat C.A. "Dutch" Ruppersberger of Maryland, resurrected on Feb. 13 the cyberthreat information sharing measure known as CISPA, for Cyber Intelligence and Sharing Protection Act, a bill that President Obama threatened to veto last year, but the sponsors believe can gain White House support this time around.
Ruppersberger, speaking with Rogers at the Center for Strategic and International Studies on Wednesday, said the lawmakers spoke earlier in the day with White House National Security Adviser Tom Donilon, who they said promised administration cooperation in finalizing legislation that encourages network operators and critical infrastructure operators to share cyberthreat information with the government.
Willingness to Collaborate
"We had some issues with the White House the last time," Ruppersberger said. "We don't still agree with everything in the bill. They don't agree with what we do, and vice versa. But what we do agree is that we will work together, our staff and their staff. We had commitment again today from the White House that they would work with us because they know how serious [this issue is]."
Indeed, President Obama in his State of the Union address on Feb. 12 called for Congress to enact cybersecurity legislation to expand the cyberthreat information sharing provisions in an executive order he issued earlier in the day [see Obama Issues Cybersecurity Executive Order].
"Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks," the president said in his speech. "This is something we should get done on a bipartisan basis."
The White House has not commented specifically on the revived CISPA. In a veto threat issued last year, the administration said CISPA would allow broad sharing of information with governmental entities without establishing requirements for industry and the government to minimize and protect personally identifiable information [See Obama Threatens to Veto Cybersecurity Bill].
A White House spokeswoman on Wednesday said the administration will not take a stand on the new version of CISPA until it's ready for a vote, noting the White House does not want to prejudge the legislative process. "Our belief continues to be that information sharing improvements are essential to effective legislation, but they must include proper privacy and civil liberties protections, reinforce the appropriate roles of civilian and intelligence agencies and include targeted liability protections," spokeswoman Caitlin Hayden said.
Civil Libertarians See Flaws in CISPA
Still, oppositions from privacy and civil liberties groups haven't budged since last April, when the House of Representatives approved CISPA; it never got out of committee in the Senate.
Leslie Harris, president of the Center for Democracy and Technology, said in a statement that CISPA remains fundamentally flawed in two ways: "It allows private Internet communications and information of American citizens to go directly to the NSA, a military intelligence agency that operates secretly with little public accountability. Once that private information is in the hands of the military, it can be used for purposes completely unrelated to cybersecurity."
American Civil Liberties Union Legislative Counsel Michelle Richardson said CISPA fails to require companies to make reasonable efforts to protect their customers' privacy. "And then," Richardson said, "[CISPA] allows the government to use that data for undefined 'national-security' purposes and without any minimization procedures, which have been in effect in other security statutes for decades."
The bill's sponsors contend that the information being shared isn't content, but malicious code that can plant spyware in corporate computers to pilfer trade secrets or cause other types of havoc. "The bill does not authorize the government to monitor your computer, to read your e-mail, Tweets or Facebook posts," Ruppersberger said. "That is clear."
In addition, the sponsors said their bill provides for audits by the inspector general for intelligence to assure CISPA complies with privacy and civil liberties rights.
Business groups didn't have such worries, and enthusiastically endorsed CISPA. Typical was the reaction of Paul Smocer, president of BITS, the technology policy division of the Financial Service Roundtable, a trade group, who calls CISPA "essential" because the bill would facilitate and increase cyberthreat information sharing in a voluntary and non-burdensome manner.
Why Is This Year Different from Other Years?
Congress hasn't enacted comprehensive cybersecurity legislation in a decade, but what makes 2013 different than recent years are the highly visible cyberattacks government and businesses have experienced in recent months. The public consciousness of the cyberthreat is growing, and pressure for Congress to do something can lead to compromise.
"Everyday we wake up to news that some other major activity was broken into," Harry Raduege, chairman of the Deloitte Center for Cyber Innovation, said in an interview. "What surprises so many people is the fact that no one seems to be immune, whether it's government activities, banking and finance, oil and gas community, healthcare. Everyone seems to have vulnerabilities to these increasing threats and intrusions by the outsider. We are constantly being reminded of how vulnerable we are and how extreme the losses have been and can be."
CISPA's Key Provisions
CISPA, according to the sponsors, would:
- Allow the federal government to provide classified cyberthreat information to the private sector to help American companies better protect themselves from advanced cyberthreats;
- Empower American businesses to share cyberthreat information with others in the private sector and enable the private sector to share information with the government on a purely voluntary basis, all while providing strong protections for privacy and civil liberties;
- Provide liability protection for companies acting in good faith to protect their own networks or share threat information.
Rogers, the intelligence committee chairman, said the recent spike in advanced cyber-attacks against banks [see Hacktivists Threaten More DDoS Attacks] and newspapers [see N.Y. Times' Transparent Hack Response] makes the need for CISPA crystal clear. "It is time to stop admiring this problem and deal with it immediately," he said. "Congress urgently needs to pass our cyberthreat information sharing bill to protect our national security, our economy and U.S. jobs."