A US House of Representatives committee failed to make the changes necessary to allay fears about government surveillance in a controversial cyberthreat sharing bill that's moving toward a House vote, critics said.
The House Intelligence Committee, in voting 18-2 Wednesday to approve the Cyber Intelligence Sharing and Protection Act (CISPA), did not address concerns that the bill would allow private companies to share too much customer information with government agencies in the name of fighting cyberattacks, digital rights groups said.
Committee leaders expect the full House to vote on CISPA as soon as next week.
"Cyberhackers from nation-states like China, Russia, and Iran are infiltrating American cyber networks, stealing billions of dollars a year in intellectual property, and undermining the technological innovation at the heart of America's economy," committee chairman Mike Rogers, a Michigan Republican and cosponsor of the bill, said in a statement. "This bill takes a solid step toward helping American businesses protect their networks from these cyber looters."
But digital rights groups said the bill still has major flaws. "The changes that were offered during the closed-door markup do nothing to address the specific concerns we've been expressing about the bill for months," said Evan Greer, campaign manager at digital rights group Fight for the Future.
The bill will allow private companies to share a wide range of customer information they deem to be related to cyberthreats with US agencies like the National Security Agency, Greer said in an email.
"The version of CISPA that passed out of Committee yesterday has several amendments that make it appear better on the surface, but do nothing to address the fundamental flaw with the bill, which is that it still allows massive amounts of private user data to be shared with secretive agencies," he added. "It still provides sweeping legal protections for corporations that share our data."
If CISPA's sponsors don't want it to be a surveillance bill, they should make additional changes, Greer added. "If that's true, there's an easy fix: write that into the bill," he added.
Sponsors and some other lawmakers defended the bill, saying it provides significant privacy protections. The committee accepted an amendment from Representative Jim Langevin, a Rhode Island Democrat, that prohibits companies from counterattacking, or hacking back, against cyberattackers after digital rights groups raised concerns that the bill's language could allow such activity.
Langevin praised the bill, saying more cyberthreat information sharing is needed, but he also suggested that CISPA "is not a final solution to cybersecurity." "While [the bill] promises to greatly improve situational awareness, information sharing alone will not allow us to prevent every attack," he said in a statement. "Our most vulnerable and valuable infrastructure must meet minimum cybersecurity standards in order to minimise the risk of a major cyberattack that could leave millions without electricity or safe drinking water for an extended period of time." Another amendment approved by the committee would limit the private sector's use of any cybersecurity information received to only cybersecurity uses. Some digital rights and privacy groups had questioned whether the bill would allow companies to use the cyberthreat information they receive for other purposes. The committee also removed language from the bill would allow the government to use data collected under CISPA "for national security purposes," in an attempt to narrow the government's use of the information. But Greer questioned whether that was a substantial improvement. The change is "not a real fix," he said. "The term 'cybersecurity' is so poorly defined within the bill that it does not provide meaningful limitations on what can be done with the data that's collected." Sponsors of the bill said it contains several privacy protections. CISPA prohibits the government from forcing private sector entities to provide information to the government, and encourages the private companies to "anonymize" or "minimize" the information they voluntarily shares with the government, sponsors said. The bill also allows individuals to sue the federal government for privacy damages, costs and attorney's fees in federal court, and it requires an annual review of the information-sharing program by the intelligence community inspector general. CISPA will sunset in five years.
Still, Representative Adam Schiff, a California Democrat , said he was disappointed that the committee rejected his amendment that would have required companies to make reasonable efforts to remove unrelated private information from the cyberthreat information they share. "It is not too much to ask that companies make sure they aren't sending private information about their customers, their clients, and their employees to intelligence agencies, along with genuine cyber security information," he said in a statement. Among the groups voicing support for the bill were the BSA and the Software and Information Industry Association, both software trade groups. CISPA would "provide the critical necessary framework for early detection and notification of cybersecurity threats," the SIIA said.