Sponsors promise redactions and restrictions, rebut charges that measure is a 'surveillance bill.'
The leaders of the House Intelligence Committee plan to amend a cybersecurity bill to make it more palatable to privacy groups and improve chances of a friendly reception from President Obama.
The Cyber Intelligence Sharing and Protection Act (CISPA) is being marked up in closed session on April 10. On an April 8 conference call with reporters and bloggers, panel chairman Rep. Mike Rogers (R-Mich.) and ranking member Rep. Dutch Ruppersberger (D-Md.) described a slate of amendments they plan to support.
The amendments include new restrictions on the way information on potential threats from private companies can be used by law enforcement. Language that would allow the government to use information on threats “for national security purposes” is coming out. Additionally, government agencies that receive such information would be required to remove personal data that could identify individual users. And private companies that receive information from government sources on potential threats would be prohibited for using the information for marketing purposes.
Opponents of the bill remain concerned that information from private companies will be shared with the National Security Agency. Rogers tried to deflect this criticism saying, “It’s clear when you read the bill this is not a surveillance bill.... It just is not. It does not allow the NSA, or any government agency, to plug in to domestic networks and listen in. That does not happen."
Ruppersberger said the Obama administration "is still not behind our bill, but we are working with them and with the privacy groups."
The text of the proposed amendments has not yet been made public, but privacy activists remain cool to the measure despite the promised changes. “While some of the amendments described today could be helpful, civilian control is the elephant in the room that CISPA co-sponsors refuse to address,” said Gregory Nojeim at the Center for Democracy and Technology.
Michelle Richardson, who tracks cybersecurity for the American Civil Liberties Union, wrote in an op-ed for Politico, “CISPA needs to be amended to clarify that civilians are in charge of information collection for cybersecurity purposes, period. Anything short of that is a fundamental failure.”
CISPA was passed by the House of Representatives in 2012, but went nowhere in the Senate, which was working on its own comprehensive cybersecurity bill that included stiffer restrictions on information sharing and liability for companies whose data is compromised in attacks.
White House cybersecurity coordinator Michael Daniel said in a February speech that the administration backed “targeted liability protections,” for companies that share information. The administration also seeks privacy protections and oversight of agencies that use information on cyber threats.
The momentum appears to have shifted in the direction of a deal on cybersecurity, thanks to recent publicity about ongoing threats to U.S. networks from China, as detailed in a February report from security firm Mandiant, which alleged that groups backed by China’s armed forces are targeting American firms.