Lawmakers today announced a new version of the controversial Cyber Intelligence Sharing and Protection Act (CISPA) will be introduced in a House committee this week. This CISPA, they claim, addresses concerns from privacy advocates who slammed the legislation for how users’ private data and browsing histories might be handled in the name of Internet security.
House Intelligence Committee Chairman Mike Rogers (R-Michigan) and Democrat U.S. Rep. C.A. “Dutch” Ruppersberger of Maryland told reporters today they will support at least some of the amendments to the bill when it heads to the committee this week for edits. CISPA last year passed the House but it was blocked in the U.S. Senate; President Barak Obama also threatened to veto it based on privacy concerns.
“The improvements that we plan to make to the bill at the markup will address several of the administration’s concerns,” Rogers said in a Bloomberg article. “And we plan to keep talking and moving toward a consensus that will allow us to get the bill signed into law.”
The bill is designed to encourage the public and private sectors to share cyber threat data in real time by removing some of the legal hurdles. But opponents of CISPA still say the law doesn’t go far enough to protect citizens’ private data, including emails and financial records, from being misused by law enforcement and by private companies mining data for business intelligence and marketing purposes.
“Congress wants to appear as if it’s doing ‘something’ about Internet security,” wrote the Electronic Frontier Foundation’s Rainey Reitman in a Reddit thread. “But the truth is that the proposals they’re suggesting don’t address most of the major network security issues. From social engineering to two-step authentication, from the broken CA system to encrypting the Web, there are concrete and real issues around network security that can and should be addressed (though a lot of them aren’t legislative solutions). Instead of grappling with these issues, Congress is trying to push an information ‘sharing’ bill that would undermine existing privacy laws.”
Proposed changes to be debated this Wednesday include:
–Stripping identifiable data the government and particularly law enforcement collects from private companies
–Narrowing how law enforcement can use the information it receives
–Removing a broadly written provision that allowed agencies to share data for “national security purposes”
–Establishing there are no legal protections for companies that use shared data to launch a retaliatory strike
–Incorporating a new review process to monitor how data is handled
Rogers and Ruppersberger told reporters the tenor has changed in recent months with growing concern in the United States over cyberattacks believed to come from China. The Chinese, in turn, also claim to be victims of attacks primarily sourced in the United States.
The growing tension prompted Congress to tuck a new review process in a funding bill in February that on Monday drew criticism from a U.S.-Chinese business group claiming the process uses Internet security as a means to discriminate against Chinese technology manufacturers. The new law requires NASA, the U.S. Justice Department, Commerce Department and National Science Foundation to get approval from law enforcement officials prior to buying IT systems “produced, manufactured or assembled by one or more entities that are owned, directed or subsidized” by China.
“Product security is a function of how a product is made, used, and maintained, rather than by whom or where it is made. Imposing a country-specific risk assessment creates a false sense of security if the goal is to improve our nation’s cybersecurity,” U.S.-China Business Council President John Frisbie said in a letter quoted in a Reuters report today.