Cyber information sharing bill gets new life in House

Thursday - 2/14/2013, 9:45am EST

Jared Serbu reports

Download mp3

Although last year's efforts to pass cybersecurity legislation in Congress were repeatedly stymied by gridlock, the top Republican and Democrat on the House Intelligence Committee say 2013's a whole new ball game.

Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), the chairman and ranking member of the Intelligence Committee, respectively, cosponsored one of several cybersecurity bills in the last Congress, the Cyber Intelligence Sharing and Protection Act (CISPA). It cleared the House, but died in the Senate in the midst of a White House veto threat.

But Rogers said he and Ruppersberger now have mended fences with the White House. Addressing the Center for Strategic and International Studies Wednesday, Rogers praised the President for issuing an executive order this week to strengthen cybersecurity, a step he said would advance the cause of the legislation. He said it also was a good thing that the President brought up the topic during the State of the Union address.

"He also acknowledged we need to pass a bill in Congress, another very good thing. It's a tone change, and we're wildly accepting of that change," he said. "And the executive order, we think, takes a little bit of the pressure off of the Senate's insistence on creating [cybersecurity] rules, regulations and standards for private infrastructure. All of that combined, I think, increases our opportunity to get a cyber information sharing bill that we all believe is important."

And Ruppersberger said the Intelligence Committee and the White House now are actively discussing the way forward in Congress — a contrast to the environment surrounding last year's veto threat, which the Maryland Democrat described, at the time, as a "kick to the solar plexus."

"We had some issues with the White House last time, and we still don't agree on everything. But what we do agree on is that we're going to work together," he said. "Our intelligence staff and the White House staff are working together now. We had a commitment again today from the White House. They will work with us because they know how serious this is."

A more narrowly tailored bill

Rogers and Ruppersberger reintroduced CISPA Wednesday in a form they say is more narrowly tailored and that should solve the previous privacy concerns the White House and civil liberties groups expressed last year.

As opposed to the more overarching cybersecurity overhaul the Senate considered in the last Congress, the House Intelligence Committee bill focuses only on information sharing. The government's intelligence community would be ordered to come up with a secure way of sharing classified cyber threat signatures with Internet service providers and other private sector companies. Those companies, in turn, could voluntarily share threat signatures with the government and would receive liability protection from any lawsuits that could otherwise arise from transmitting proprietary data.

But Rogers said that protection would not be a blank check to violate customer privacy. Companies, he said, would only be able to send to the government information about bona fide cyber threats, not the actual content of email messages, Facebook posts or tweets.

"If this was about content, none of this would work," he said. "We're not worried about content. It has to be about trying to find malicious code that's embedded in an email or whatever, but that's not the content. But in order to doubly make sure agencies are following the law, we've said the inspector general must, every year, do an audit and then report to us on how they've used the information, what kind of information they got, if they got it wrong, how they rectified it and properly destroyed the information, and make sure it's not collected on government servers, which we thought was important."

Limited use of information

In addition to oversight and an annual report by the Intelligence Community Inspector General, the revised bill would clamp down on the government's use of any information it gets from private companies under the program. Last year's bill, for example, would have let prosecutors use that shared information in child pornography investigations or matters relating more broadly to "national security" investigations. This year's edition says agencies can only use the information they get from the private sector for "cybersecurity purposes."

Nonetheless, the new bill drew criticism from at least one civil liberties group. The Constitution Project issued a statement saying it could still be used to authorize domestic spying and hand over personal information to government agencies.

"The safeguards for privacy rights and civil liberties contained in this cybersecurity bill are woefully inadequate," said Sharon Bradford Franklin, the organization's senior policy counsel. "While the goal of protecting our nation's networks from cyber attacks is a laudable one, Congress must also address the very real threat this legislation poses to Americans' privacy rights and civil liberties."