“The government is best placed to do the minimization,” a committee staffer added. The bill would offer companies the chance to voluntarily minimize out personal data, the staffer said, and companies probably would want to do so because of “concern about their reputation.”
The Schakowsky amendment would have made the Department of Homeland Security the lead federal agency for collecting information from and sharing it with the private sector.
“Our bill is silent on where companies go to get the [cybersecurity threat] information back to the government,” said the committee staffer, adding it would be up to the Obama administration to define which agency or agencies played that role.
Critics are concerned that the lead will end up with the government agency that has the greatest resources and the most skilled employees in the arena of cybersecurity — the highly secretive and enormously powerful NSA.
But he said the NSA likely would play a major role.
“If you don’t have the capability of the NSA, taking that information from the Iranians and the North Koreans and others, and allowing that to get back into the system, it’s worthless. And if you want the gold-standard protection from cyberattacks, the NSA has to be at least somewhere. They don’t have to get it, they don’t have to be the lead in it, but they’re the ones that have the capability,” Mr. Rogers said.
“The effect of that is to shift the control of the cyberprogram from civilian hands to a secretive military agency,” said Greg Nojeim, senior counsel at the Center for Democracy and Technology. “It’ll be very difficult for there to be any transparency or any accountability if that shift happens.”
Other amendments supported by Mr. Rogers and Mr. Ruppersberger and passed by the committee would limit companies’ use of cyberthreat information they receive from the government and other companies strictly for cybersecurity purposes. This would “address concerns that they might use it for marketing or other noncybersecurity purposes,” according to Mr. Rogers. And another gives the privacy officers of all the agencies involved additional oversight authority.
Congress has struggled and failed for years to pass broad cybersecurity legislation to protect nationally vital computer and communications networks such as the phone system or the computer systems of major banks from infiltration and attack by hackers, criminals, and even foreign espionage or military agencies.
But the Cyber Intelligence Sharing and Protection Act (CISPA), its authors say, would remove legal barriers that stop private-sector network owners and federal agencies from sharing real-time data with one another so online intruders or attackers can be detected and thwarted.
CISPA has “very narrowly drawn authorities with no room for misuse or abuse,” Mr. Rogers said.
The Obama administration threatened to veto a similar bill with the same name during the election campaign last year, citing privacy concerns, but the authors say they have been working to address the concerns of the White House.
“We’re closer on some [issues] and haven’t gotten close on others,” Mr. Rogers said.
Many technology firms and industry groups support the proposed new law, including AT&T, IBM, the U.S. Chamber of Commerce and Comcast, according to Maplight, a nonprofit that tracks lobbying expenditures and political donations.