Opponents of a bill to let private companies share cybersecurity information with the federal government vowed Thursday to continue their fight, saying the proposed law would lead to broader government monitoring of the Internet.
The American Civil Liberties Union opposes the bill because “Companies can still share personal information with each other or the government [and] military agencies like the NSA are still allowed to collect American Internet information,” ACLU legislative attorney Michelle Richardson said.
The House Permanent Select Committee on Intelligence approved the bill 18-2 at a closed-door markup Wednesday, after adopting amendments designed to assuage fears that the proposal would allow broad government monitoring of domestic electronic communications and scoop up the private data of Americans for analysis by the National Security Agency.
The bill now is expected on the House floor as early as next week, according to congressional staff.
“This is not a surveillance bill,” said Rep. Mike Rogers, Michigan Republican and committee chairman. “This bill does not allow the NSA or any government agency to plug into domestic networks and listen in.”
During the two-hour-plus meeting, the committee rejected two amendments supported by Internet civil liberties advocates and proposed by the two Democrats who ended up voting against the bill — Reps. Adam B. Schiff of California and Janice D. Schakowsky of Illinois.
The Schiff amendment would have required companies sharing cybersecurity information — for instance, samples of network traffic data in real time — to make “reasonable efforts (which may include automated processes)” to strip out the personally identifiable or private data of individuals “unrelated to a cyberthreat.”
Mr. Schiff expressed disappointment that his amendment was voted down.
“It is not too much to ask that companies make sure they aren’t sending private information about their customers, their clients and their employees to intelligence agencies, along with genuine cybersecurity information,” he said in a statement.
The Software and Information Industry Association, which represents the big companies that make software, games and other digital content, opposed the amendment.
Personal or private data “may be intertwined with cybersecurity information in ways that make it hard to remove. That was our concern,” said David LeDuc, head of public policy for the association.
Mr. LeDuc offered as an example data tracing a hacker’s route into a compromised network, which might include his impersonating or taking over the machine of a person at the company to get access to the system. That trace data might contain names and passwords belonging to innocent third parties, Mr. LeDuc said.
Committee staffers said lawmakers had adopted a different amendment, one that would require the government to strip out personal data.
The amended bill would “require government to establish procedures to minimize the [cybersecurity threat] information they receive of any” personally identifying information, said Rep. C.A. Dutch Ruppersberger of Maryland, the committee’s ranking Democrat. His district includes NSA’s headquarters at Fort Meade.
He and Mr. Rogers spoke with reporters on a conference call this week ahead of the closed-door session.
“The government is best placed to do the minimization,” a committee staffer added. The bill would offer companies the chance to voluntarily minimize out personal data, the staffer said, and companies probably would want to do so because of “concern about their reputation.”
The Schakowsky amendment would have made the Department of Homeland Security the lead federal agency for collecting information from and sharing it with the private sector.
“Our bill is silent on where companies go to get the [cybersecurity threat] information back to the government,” said the committee staffer, adding it would be up to the Obama administration to define which agency or agencies played that role.
Critics are concerned that the lead will end up with the government agency that has the greatest resources and the most skilled employees in the arena of cybersecurity — the highly secretive and enormously powerful NSA.
“I don’t know where they get that,” Mr. Rogers said, “It doesn’t say that in the bill. We’re agnostic” on how the government should gather the information.
But he said the NSA likely would play a major role.
“If you don’t have the capability of the NSA, taking that information from the Iranians and the North Koreans and others, and allowing that to get back into the system, it’s worthless. And if you want the gold-standard protection from cyberattacks, the NSA has to be at least somewhere. They don’t have to get it, they don’t have to be the lead in it, but they’re the ones that have the capability,” Mr. Rogers said.
“The effect of that is to shift the control of the cyberprogram from civilian hands to a secretive military agency,” said Greg Nojeim, senior counsel at the Center for Democracy and Technology. “It’ll be very difficult for there to be any transparency or any accountability if that shift happens.”
Other amendments supported by Mr. Rogers and Mr. Ruppersberger and passed by the committee would limit companies’ use of cyberthreat information they receive from the government and other companies strictly for cybersecurity purposes. This would “address concerns that they might use it for marketing or other noncybersecurity purposes,” according to Mr. Rogers. And another gives the privacy officers of all the agencies involved additional oversight authority.
Congress has struggled and failed for years to pass broad cybersecurity legislation to protect nationally vital computer and communications networks such as the phone system or the computer systems of major banks from infiltration and attack by hackers, criminals, and even foreign espionage or military agencies.
But the Cyber Intelligence Sharing and Protection Act (CISPA), its authors say, would remove legal barriers that stop private-sector network owners and federal agencies from sharing real-time data with one another so online intruders or attackers can be detected and thwarted.
CISPA has “very narrowly drawn authorities with no room for misuse or abuse,” Mr. Rogers said.
The Obama administration threatened to veto a similar bill with the same name during the election campaign last year, citing privacy concerns, but the authors say they have been working to address the concerns of the White House.
“We’re closer on some [issues] and haven’t gotten close on others,” Mr. Rogers said.
Many technology firms and industry groups support the proposed new law, including AT&T, IBM, the U.S. Chamber of Commerce and Comcast, according to Maplight, a nonprofit that tracks lobbying expenditures and political donations.
Collectively, the bill’s supporters gave more than $3.25 million to members of the intelligence committee between July 2010 and July 2012, Maplight reported after analyzing federal data.
By contrast, the groups opposing the bill gave $212,208 over the same period.
However, as Maplight point out, more recent figures might tell a different story.
“Several major web companies that had supported the bill in the last session of Congress (Facebook, Microsoft, and others) have withdrawn their support for the bill this session, citing concerns about privacy,” Maplight notes.
Mr. Schiff called on the House leadership, who now must schedule a floor debate and decide which amendments will be considered, “to ensure that we have a full and open debate and that my amendment, and others to make a real difference in protecting privacy and civil liberties, receive an up or down vote on the House floor.”