The Cyber Intelligence Sharing and Protection Act (“CISPA”), H.R. 3523, passed in the House yesterday (April 26) in a 248 – 168 vote, despite opposition from several groups and a veto threat from the White House. The bill, which has been amended over the past couple of weeks in an attempt to address both security and privacy concerns, would allow private companies and the government to share “cyber threat intelligence” with each other.
In a joint statement, Rep. Rogers and Rep. Ruppersberger emphasized the balanced nature of the bill, stating that CISPA “gives the federal government new authority to share classified cyber threat information with approved American companies and knocks down barriers to cyber threat information sharing. With strong provisions built in to keep individual Americans’ private information private, the bill allows U.S. businesses to better protect their own networks and their corporate customers from hackers looking to steal intellectual property.”
Critics of the law have raised concerns that the sharing of any cyber threat intelligence with the government will lead to illegal collection and exploitation of personal information by the intelligence community. Despite amendments to address privacy concerns, privacy advocates still don’t believe the bill offers enough protection. The White House was critical as well, stating that “[c]ybersecurity and privacy are not mutually exclusive.”
While the White House position is correct that information sharing “must be conducted in a manner that preserves Americans’ privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace,” an emphasis on privacy at all costs could jeopardize security by stalling the passage of needed cyber legislation. As Rep. Rogers observed yesterday, “we can’t stand by and do nothing as U.S. companies are hemorrhaging from the cyber looting coming from nation states like China and Russia.”