Both sides agree on the need to better share threat information, but disagreement on how to protect privacy threatens the bill.
UDPATED: House passes CISPA, despite veto threat.
The debate on cybersecurity has moved from the committee hearing rooms to the House floor, as legislators began debate on the controversial Cyber Intelligence Sharing and Protection Act, H.R. 3523.
The bipartisan bill would allow the sharing of classified cyber threat information by the military intelligence community with the private sector and encourage the sharing of attack information by companies with government. Critics acknowledge the need for better information sharing but say the bill’s privacy protection is inadequate and that it could open the door to government spying and misuse of personal information by both the government and private sector. That possibility has produced a threat of a veto from the White House.
The bill was debated April 26 and was expected to come up for House vote April 27.
Co-sponsors Rep. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) said the bill is narrowly crafted to limit the government’s use of information and does not mandate that companies any information to the government.
“It’s all voluntary; there are no mandates,” Rogers said. “There is no government surveillance in the bill.”
But some Democrats argued that the bill is one-sided, providing companies with broad immunity for sharing data that could include personally identifiable information and putting inadequate restrictions on government use.
“It does not do what we need to have done,” said Rep. Bennie Thompson (D-Miss.). “It would create a Wild West of information sharing.”
Georgia Democratic Rep. Hank Johnson called it a “disturbing bill” that erodes personal freedoms. His fellow Georgian Rep. John Lewis raised the specter of government spying on civil rights activists during the 1960s.
Rep. Mary Bono Mack (R-Calif.) called the privacy concerns exaggerated. “There is no boogie man hiding in the closet,” she said, criticizing what she called “false alarms and red flags.”
The Office of Management and Budget on April 25 released a statement saying it “strongly opposes” the bill in its current form and that senior advisers recommend its veto if it passes the House and Senate.
The statement said that security and privacy are not mutually exclusive but that “H.R. 3523 fails to provide authorities to ensure that the nation's core critical infrastructure is protected while repealing important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality and civil liberties safeguards.”
OMB's statement says the bill lacks adequate limitations on sharing of personally identifiable information and improperly shields companies that misuse information.