Updated 4/10/13: The U.S. House Intelligence Committee voted 18-2 for the new version of CISPA, with the two dissents coming from Democrat members of the committee.
“This is clearly not a theoretical threat – the recent spike in advanced cyber attacks against the banks and newspapers makes that crystal clear,” the revised bill’s author, Rep. Mike Rogers (R-Michigan), said in a statement. “American businesses are under siege. We need to provide American companies the information they need to better protect their networks from these dangerous cyber threats. It is time to stop admiring this problem and deal with it immediately.”
Meantime a petition started in February to stop the cybersecurity bill surpassed the required 100,000 signatures to generate an official response from the White House. It reads: “CISPA is about information sharing. It creates broad legal exemptions that allow the government to share ‘cyber threat intelligence’ with private companies, and companies to share ‘cyber threat information’ with the government, for the purposes of enhancing cybersecurity. The problems arise from the definitions of these terms, especially when it comes to companies sharing data with the feds.”
Lawmakers today announced a new version of the controversial Cyber Intelligence Sharing and Protection Act (CISPA) will be introduced in a House committee this week. This CISPA, they claim, addresses concerns from privacy advocates who slammed the legislation for how users’ private data and browsing histories might be handled in the name of Internet security.
House Intelligence Committee Chairman Mike Rogers (R-Michigan) and Democrat U.S. Rep. C.A. “Dutch” Ruppersberger of Maryland told reporters today they will support at least some of the amendments to the bill when it heads to the committee this week for edits. CISPA last year passed the House but it was blocked in the U.S. Senate; President Barak Obama also threatened to veto it based on privacy concerns.
“The improvements that we plan to make to the bill at the markup will address several of the administration’s concerns,” Rogers said in a Bloomberg article. “And we plan to keep talking and moving toward a consensus that will allow us to get the bill signed into law.”
The bill is designed to encourage the public and private sectors to share cyber threat data in real time by removing some of the legal hurdles. But opponents of CISPA still say the law doesn’t go far enough to protect citizens’ private data, including emails and financial records, from being misused by law enforcement and by private companies mining data for business intelligence and marketing purposes.
“Congress wants to appear as if it’s doing ‘something’ about Internet security,” wrote the Electronic Frontier Foundation’s Rainey Reitman in a Reddit thread. “But the truth is that the proposals they’re suggesting don’t address most of the major network security issues. From social engineering to two-step authentication, from the broken CA system to encrypting the Web, there are concrete and real issues around network security that can and should be addressed (though a lot of them aren’t legislative solutions). Instead of grappling with these issues, Congress is trying to push an information ‘sharing’ bill that would undermine existing privacy laws.”
Proposed changes to be debated this Wednesday include:
–Stripping identifiable data the government and particularly law enforcement collects from private companies
–Narrowing how law enforcement can use the information it receives
–Removing a broadly written provision that allowed agencies to share data for “national security purposes”
–Establishing there are no legal protections for companies that use shared data to launch a retaliatory strike
–Incorporating a new review process to monitor how data is handled
Rogers and Ruppersberger told reporters the tenor has changed in recent months with growing concern in the United States over cyberattacks believed to come from China. The Chinese, in turn, also claim to be victims of attacks primarily sourced in the United States.
The growing tension prompted Congress to tuck a new review process in a funding bill in February that on Monday drew criticism from a U.S.-Chinese business group claiming the process uses Internet security as a means to discriminate against Chinese technology manufacturers. The new law requires NASA, the U.S. Justice Department, Commerce Department and National Science Foundation to get approval from law enforcement officials prior to buying IT systems “produced, manufactured or assembled by one or more entities that are owned, directed or subsidized” by China.
“Product security is a function of how a product is made, used, and maintained, rather than by whom or where it is made. Imposing a country-specific risk assessment creates a false sense of security if the goal is to improve our nation’s cybersecurity,” U.S.-China Business Council President John Frisbie said in a letter quoted in a Reuters report today.