On April 18, the US House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624, which would enable companies to share information about cyber threats while benefiting from certain liability protections. The bill passed despite a White House threat earlier this week to veto the bill. The vote was 288-127, with 196 Republicans and 92 Democrats in favor, and 29 Republicans and 98 Democrats opposed—and thus the House vote would be sufficient to override any presidential veto.
Reps. Rogers (R-Mich.) and Ruppersberger (D-Md.) introduced CISPA again this year shortly after the President issued his Executive Order on “Improving Critical Infrastructure Cybersecurity” (which we covered previously). A similar version of the bill passed the House in 2012, but stalled in the Senate. And the White House similarly threatened to veto the bill last year.
CISPA would provide companies with liability protection for sharing cyber threat information with the US government and other companies. The bill also includes measures to protect shared cyber threat information from disclosure (e.g., in response to FOIA requests) or unrelated uses by the U.S. government. The federal government would be permitted to use received cyber threat information in the following ways:
- for cybersecurity purposes;
- for the investigation and prosecution of cybersecurity crimes;
- for the protection of individuals from the danger of death or serious bodily harm (and associated investigations and prosecutions); or
- for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors (and associated investigations and prosecutions).
In efforts to address the concerns of the White House and privacy advocates opposed to the bill, the House passed several significant amendments to this year’s version of CISPA, including the following:
- The US government may no longer use cyber threat information for national security purposes.
- Companies may use cyber threat information only for cybersecurity purposes.
- The Department of Homeland Security (DHS) and Department of Justice are now the governmental entities designated to receive cyber threat information.
- The DHS Office of Inspector General is designated to submit an annual report to Congress reviewing, among other things, the impact of information sharing on privacy and civil liberties.
- A new provision states that nothing in CISPA authorizes the US government to target US persons for surveillance.
Among the reasons that the White House cited earlier this week for its veto threat were concern “that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities” as well as concern “about the broad scope of liability limitations.” And the White House noted its view that any information-sharing provision should be part of a broader legislative action on cybersecurity, including “legislation that: (1) strengthens the Nation’s critical infrastructure’s cybersecurity by promoting the establishment and adoption of standards for critical infrastructure; (2) updates laws guiding Federal agency network security; (3) gives law enforcement the tools to fight crime in the digital age; and (4) creates a National Data Breach Reporting requirement.” It is unclear whether the White House’s veto threat will remain in light of the amendments to CISPA passed subsequent to the White House’s statement.
The continued debate and controversy surrounding CISPA contrasts sharply with the House’s uncontroversial passage of other cybersecurity-related bills this week to address cybersecurity defense efforts for US governmental systems and funding for cybersecurity-related research and development.