The US House of Representatives has once again passed the Cyber Intelligence Sharing and Protection Act (CISPA), which died in the Senate last year, by a margin of 288 to 127 after two days of debate. Over several hours, House opinion on the bill boiled down to whether the redesigned CISPA successfully addressed criticism from civil libertarians, and whether the threat of cyberattacks was grave enough to justify overriding lingering concerns. Representative Candice Miller (R-MI), a CISPA supporter, painted a dire picture of North Korean hackers taking down the US power grid, and Rep. Joe Heck (R-NV) warned that "our nation is under attack." Rep. Mike McCaul (R-TX) went so far as to urge passage with a comparison to the Boston Marathon bombings: "In the case of Boston they were real bombs, in this case they're digital bombs. And these digital bombs are on their way."
"Our nation is under attack."
Cyberwarfare is seen as a major threat by other parts of the US government. Director of National Intelligence James Clapper has testified about the possibility of a major cyber attack, and the NSA has stepped up its cyberwarfare efforts with offensive and defensive teams. President Barack Obama has signed an executive cybersecurity order, and he's urged Congress to pass legislation that would broaden it. At its core, CISPA is meant to make it easier for companies to share information about online attacks between each other and the government, letting them catch hacks early and better defend themselves. But there's disagreement over whether it does so while protecting the privacy of ordinary people whose data is actually at risk of being exposed.
While both Facebook and Microsoft have backed away slightly from supporting CISPA, other major tech lobby groups have urged its passage, and only a small number of companies — including Mozilla and Reddit — have actively opposed it. Instead, organized protest has come from advocacy groups like the ACLU or EFF, who warn that the bill's provisions could supersede existing privacy agreements, letting companies share private information about their users with the government. The White House has expressed this concern as well, asking legislators to build stronger protections for users into the bill.
After the bill was marked up in committee, several amendments were brought and passed. One, which was filed the day before floor debate, designates the Department of Homeland Security as the central agency for receiving company data, after which it could be passed to other agencies. Early drafts were hailed as a way to limit the scope of government sharing, with the ACLU's Michelle Richardson telling reporters that it was "by far the biggest amendment."
"For all of this floor action, the bill is pretty much the same."
Richardson now says, however, that the amendment was stripped of its teeth before being brought to the floor. It does not require companies to report only through the DHS if they want to keep their immunity, instead simply designating the department as a primary point of contact. She also didn't believe the other amendments made much different to the final result: "For all of this floor action, the bill is pretty much the same." Many of them were designed to be clarifications, making it evident that legislators don't intend CISPA to be used for surveillance or searches; unfortunately, unintended consequences or abuses are what opponents worry about.
Some legislators protested the fact that oversight amendments were shot down in committee, before the bill came to the floor. Among other things, these amendments could have set further limits to when governments would use shared information, required companies to scrub personal data from the user information they sent, or bound them to abide by privacy contracts with users. Rep. Jared Polis (D-CO), a particularly outspoken CISPA critic, said that the bill as written was "wide open to potential abuse," arguing that it could open the door to searching through user data. "There are absolutely no protections with regards to what is done with this information," he said.
"The Fourth Amendment trumps all."
Rep. Rob Woodall (R-GA) dismissed his concerns, saying that CISPA could not erode existing constitutional protections. "The Fourth Amendment trumps all," he said, adding that foreign cyber threats posed a bigger danger to privacy. Supporters also pointed to amendments that would govern sharing with civilian agencies, limiting it to "cybersecurity" cases. Others criticized the notion that CISPA information-sharing would authorize surveillance or allow companies to break user privacy agreements, calling the latter "misinformation."
The bill still has a long road before becoming law. CISPA initially passed in the House last year, but it wasn't taken up by the Senate. Now, it will once again be up to the Senate to craft and pass a companion bill. Whether Obama will support the bill is another matter. While the White House has said repeatedly that it will work with legislators, a statement released yesterday said the Obama Administration would veto CISPA if changes weren't made. Now, it's up to the Senate to determine what its version of the proposed law will look like — and whether it will actually make it through this time.