The bill was expected to be approved with some modifications by the House Intelligence Committee, which paves the way for a floor vote next week. It is a defiant move by pro-business lawmakers who locked horns last year with privacy advocates and civil liberties groups over a similar proposal. Last year’s bill passed the House but never gained traction in the Senate after the White House threatened to veto it.
Rep. Mike Rogers, R-Mich., the committee’s chairman, and Rep. Dutch Ruppersberger, D-Md., the panel’s top Democrat, said the political calculus has changed and that China’s hacking campaign was too brazen for the White House to justify the status quo.
“There’s a line around the Capitol building of companies willing to come in and tell us in a classified setting (that) ‘my whole intellectual property portfolio is gone,’” Rogers said. “I’ve never seen anything like this, where we aren’t jazzed and our blood pressure isn’t up.”
The Cyber Intelligence Sharing and Protection Act, or CISPA, is widely backed by industry groups that say businesses are struggling to defend against aggressive and sophisticated attacks from hackers in China, Russia and Eastern Europe. The bill would enable companies to disclose threat data to the government and competitors in real-time, lifting antitrust restrictions and giving legal immunity to companies if hacked, so long as they act in good faith.
Privacy and civil liberties groups have long opposed the bill over concerns it opens America’s commercial records to the federal government without putting a civilian agency in charge, such as the Homeland Security Department or Commerce Department. That leaves open the possibility that the National Security Agency or another military or intelligence office would become involved, they said. While the new program would be intended to transmit only technical threat data, opponents said they worried that personal information could be passed along, too.
On Monday, Rogers and Ruppersberger announced minor changes to the bill, dropping a provision that would have let the government use threat data for national security purposes. While the provision would have given lawyers flexibility to prosecute cases as technology evolves, privacy groups said that provision was dangerously broad and would have paved the way for government abuse.
The latest version also includes a requirement that the government remove any personal information from data obtained by the private sector. And the revised bill makes clear that companies can only use the information they get from the government to protect their networks, not for marketing or unrelated functions.
A lawyer for the American Civil Liberties Union, Michelle Richardson, said the bill could allow the military to review data on private commercial networks.
“A couple of cosmetic changes is not enough to address the concerns of members” in the Senate, Richardson said.
The House Intelligence Committee was meeting Wednesday to vote on amendments. While the proceedings were unclassified, the meeting was closed to the public — further angering opponents of the bill who said the legislation was being finalized in secret.
Susan Phalen, a panel spokeswoman, said the committee opted to hold the meeting in a room equipped for classified discussions in case members wanted to raise sensitive information.
In February, Obama signed an executive order that would help develop voluntary industry standards for protecting networks. But the White House and Congress agreed that legislation was still needed to address the legal liability companies face if they share threat information. Senate Majority Leader Harry Reid, D-Nev., promised at the time to advance a bipartisan proposal “as soon as possible,” although one hasn’t emerged.