House Passes CISPA Despite White House Veto Threat

The House passed an amended version of the Cyber Intelligence Sharing and Protection Act (CISPA) by a 288 to 127 vote Thursday. The revised CISPA aims to increase cyberthreat information sharing between the public and private sectors, something which cybersecurity experts say is needed to protect U.S. networks from attacks. HR-624 is a modified version of the information sharing legislation that passed by the House last year (HR-3523) but failed to achieve a vote in the Senate. Ninety-two Democrats voted for the bill Thursday, 50 more than voted for the CISPA bill that passed the House in the last Congress.

At our deadline the White House didn’t revise its veto threat on the bill and offered no comment on its passage. Privacy groups continued to object to CISPA for what they said was a lack of privacy protections in the bill. Telecom and technology groups hailed CISPA’s passage because it includes provisions to offer companies liability protections for sharing cyberthreat data with the government. The legislation became the fourth cybersecurity measure passed by the House this week. Others are the Federal Information Security Amendments Act (HR-1163), the Cybersecurity Enhancement Act (HR-756) and the Advancing America’s Networking and Information Technology Research and Development Act (HR-967).

House Intelligence Committee Chairman Mike Rogers, R-Mich., capped the two-day debate with a pep rally speech on the House floor, urging members to approve the bill and stop China’s theft of U.S. intellectual property. “If you want to take a shot across China’s bow, this is it,” he roared.

Key to the bill’s passage was the inclusion of what Rogers called “an important amendment,” aimed at giving a “civilian face” to the legislation’s information sharing framework. Lawmakers voted 409-5 to approve the amendment, offered by chairmen and ranking members of the House Intelligence and Homeland Security committees, to assign agencies within the departments of Homeland Security and Justice to be the first recipients of any cyberthreat information shared by private sector companies, among other provisions. The amendment directs the government to conduct cybersecurity activities in real time to create cybersecurity situational awareness across federal agencies.

House Homeland Security Chairman Mike McCaul, R-Texas, said the amendment “ensures DHS and DOJ will serve as points of entry for those seeking to share cyberthreat information with the federal government.” House Homeland Security Ranking Member Bennie Thompson, D-Miss., said that with the amendment, “citizens may take comfort knowing that their information will be more likely shared with the appropriate civilian agency with the accompaniment of accountability and transparency. And businesses can be sure that their dealings abroad will not be colored by the perception, fair or otherwise, that they are in cahoots with the National Security Agency.”

House Minority Leader Nancy Pelosi, D-Calif., is “disappointed” that the bill “did not address the major concerns of members of Congress and the White House by improving the legislation’s protections for personal information,” she said in a floor speech. She said it’s “unfortunate” that the bill didn’t require the private sector to minimize irrelevant personally unidentifiable information in the cyberthreat data it shares with the government. “They can just ship the whole kit and caboodle,” she said. “They should minimize [it to] what is relevant to our national security. The rest is none of the government’s business.” Pelosi also objected to the “overly broad liability protections and immunities to the businesses that could violate our liberties.” Instead, the legislation should offer more “targeted” liabilities to private sector entities to ensure they “only share appropriate information.” Pelosi said the bill’s most important failure is what she called its inability to address cybersecurity vulnerabilities in the nation’s critical infrastructure. “If we are truly going to secure a reliable and resilient cyberspace that reflects our country’s values, we must target our clearest vulnerabilities while preserving a space that promotes the innovation, expression and security of the American people.”

McCaul objected to Pelosi’s comments. “With all due respect, [the bill] does provide the balance between security and civil liberties,” he said in a subsequent floor speech. “And it provides the civilian interface to the private sector to protect our critical infrastructures that are already under attack by countries like Iran, China and Russia.” McCaul compared the recent bombings at the Boston Marathon to the kinds of national security threats that America faces in cyberspace: “In the case of Boston, they were real bombs, explosive devices. In this case, they are digital bombs. And these digital bombs are on their way,” he said. “That is why it is so urgent we pass this today, because if we don’t, and those digital bombs land and attack the United States of America, and Congress failed to act, then Congress has that on its hands.”

House Judiciary Committee Ranking Member John Conyers, D-Mich., is disappointed the bill passed “without critical privacy safeguards,” he said in a written statement. “Effective cybersecurity legislation must protect our privacy and encourage better cybersecurity practices, but this bill fails to do both. We must address these shortcomings before a bill reaches the President’s desk.” Rep. Adam Schiff, D-Calif., said CISPA still lacks any requirement that private companies remove the personal information of Americans before sharing cybersecurity information with the government or other companies. The Senate should make a “stronger effort” to “take into account the privacy concerns expressed by the White House, civil liberties groups, and House members from both parties,” he said in a statement after the vote.

Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., said there are “insufficient” privacy protections in the bill. Yet its passage “is important,” he said in a news release. “We need action on all the elements that will strengthen our cybersecurity, not just one, and that’s what the Senate will achieve.” Rockefeller said he will work with Commerce Committee Ranking Member John Thune, R-S.D., and the chairmen and ranking members on other committees of jurisdiction, “to go through regular order. I believe we can gain bipartisan agreement on bills that we can report out of our Committees and allow Leader [Harry] Reid [D-Nev.] to bring them to the Senate floor as early as possible.”

The White House veto threat was due to concerns that the bill “does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities,” said a policy statement released Tuesday. The legislation “must include proper privacy and civil liberties protections, reinforce the appropriate roles of civilian and intelligence agencies, and include targeted liability protections,” a White House spokesman said Tuesday.

House Majority Leader Eric Cantor, R-Va., said he was disappointed President Barack Obama threatened to veto the bill and urged him to reconsider his decision. “Every day there are reminders that people throughout the world wish to do harm to America, and whether it is a homemade bomb, an intercontinental ballistic missile, or a vicious cyber attack, we must do everything in our power to prevent and protect against attacks on our homeland,” Cantor said in a news release. He said he is thankful CISPA’s authors included strong privacy and civil liberty protections and “strict regulations governing the use of information shared between the private sector and government.”

The House passed 11 of 13 proposed amendments to the bill. Two amendments were withdrawn. Lawmakers unanimously passed Rogers’ manager’s amendment to make a technical change to the bill that would ensure the government isn’t authorized to use certain documents containing personally identifiable information. The House unanimously approved an amendment offered by Rep. Gerry Connolly, D-Va., to further define how cyberthreat information may be shared. The amendment adds a provision to clarify that entities may only use, retain or disclose classified cyberthreat information if it’s used for cybersecurity purposes. Lawmakers approved an amendment offered by Rep. Brad Schneider, D-Ill., by a voice vote to permit eligibility to independent contractors for security clearances to handle classified cybersecurity information. The House voted 411-3 to pass an amendment offered by Rep. Jim Langevin, D-R.I., to replace language in the bill to ensure that utility districts aren’t unintentionally limited from protecting their own data.

The House unanimously passed an amendment to add the DHS Inspector General to the list of parties asked to submit an annual report to Congress related to how the federal government’s handling of cyberthreat information impact’s individuals’ privacy. The amendment would require the House and Senate Homeland Security committees to submit reports on which recipients are provided cyberthreat information. The proposal was offered by Kyrsten Sinema, D-Ariz. The chamber passed a similar amendment offered by Rep. Loretta Sanchez, D-Calif., to add language to the bill that would add the DHS offices of privacy and civil rights and civil liberties to the list of those required to report to Congress on the privacy impact of the bill.

Lawmakers unanimously passed an amendment offered by Rogers and Rep. Doug LaMalfa, R-Calif., to clarify that nothing in the bill authorizes the government to target a U.S. citizen for surveillance. Rogers described the measure an “important mythbuster,” during a floor speech. The House passed by a voice vote an amendment offered by Rep. Erik Paulsen, R-Minn., to establish the sense of Congress that international cooperation should be encouraged where possible under this bill. Also passed by a voice vote was an amendment from Rep. Joe Barton, R-Texas, to clarify that nothing in the bill permits companies to sell consumers’ personal information to other companies for marketing purposes. Barton, a co-chairman of the House Bipartisan Privacy Caucus, said in a news release the measure adds an “important layer of protection” to the bill that “explicitly restricts companies from abusing personal information by attempting to sell it for a marketing purpose.” “I do not want companies to assume that this bill could serve as a loophole to allow them to turn personal information into a product that can be bought and sold,” he said. Lawmakers passed by a voice vote an amendment from Rep. Shelia Jackson Lee, D-Texas, to clarify that nothing in the bill requires government cybersecurity contractors to provide information about cybersecurity incidents unless they pose a threat to the security of federal government’s information.

Privacy groups said they were unsatisfied by the adopted privacy amendments and urged the Senate to advance legislation with stronger provisions to protect American’s privacy. ACLU Legislative Counsel Michelle Richardson in a news release described CISPA as an “extreme proposal that allows companies that hold our very sensitive information to share it with any company or government entity they choose, even directly with military agencies like the NSA, without first stripping out personally identifiable information.” “We will work with Congress to make sure that the next version of information sharing legislation unequivocally resolves this issue, as well as tightens immunity provisions and protects personal information.” Free Press Action Fund is “disappointed that the bill’s sponsors once again ignored the overwhelming opposition to this dangerous bill by the public, civil liberties advocates and even the White House,” said Policy Director Matt Wood. The Center for Democracy and Technology said that despite improvements, the bill remains “fundamentally flawed.” The bill fails to require companies to remove personally identifiable information from shared cyberthreat data and “invites companies to engage in reckless and negligent cybersecurity conduct that could injure others, and insulates that conduct against criminal and civil liability,” said Senior Counsel Greg Nojeim.

Associations representing cable and telecom companies commended the bill’s passage as an important step to increasing the security of the nation’s networks and urged the Senate to follow suit. Verizon Senior Vice President-Federal Government Relations Peter Davidson said in a news release CISPA will “boost ongoing cybersecurity efforts by promoting the voluntary sharing of cyber threat information among communications companies and federal agencies; provide appropriate liability protections and -- a top priority for Verizon -- put in place consumer-privacy safeguards. … The bill accomplishes this without the need for technology mandates or prescriptive rules that would become quickly outdated, and it ensures that communications infrastructure providers retain the flexibility to implement all measures available to them to secure their networks.” USTelecom President Walter McCormick said CISPA’s passage marks an “important step forward in helping us better protect our customers’ data and our networks.” McCormick added that the “limitations on the use of shared information for cybersecurity purposes, the enhanced roles given to the Department of Homeland Security and its inspector general, and the assurance that companies cannot use shared information as a loophole for consumer marketing are all examples of amendments that strike an appropriate balance between our security and our liberty.” CTIA Vice President-Government Affairs, Jot Carpenter, said the “enactment of a voluntary information-sharing framework, like the one in this bill, is the single most important thing the government can do to help the wireless industry enhance its cybersecurity posture.” NCTA President Michael Powell said the bill will “enhance protection of our Internet infrastructure, consumers and America’s economy.”

Several technology groups also hailed CISPA’s passage. Business Roundtable President John Engler commended House members for passing the bill and said the group will work to ensure that information sharing legislation becomes law. TechAmerica Senior Vice President-Federal Government Affairs Kevin Richards commended Rogers and Rep. Dutch Ruppersberger, D-Md., for their “willingness to work with all interested stakeholders to try to get the best bill possible.” Software and Information Industry Association supports the bill because it would provide the “critical necessary framework for early detection and notification of cybersecurity threats,” said President Ken Wasch. Information Technology Industry Council President Dean Garfield said the bill achieves the “balance of protecting national security and personal privacy,” and urged the Senate to move forward with similar cybersecurity legislation. Telecommunications Industry Association President Grant Seiffert commended passage as “an important step toward giving the private sector a powerful tool in the fight to improve network security.”