Cyber intel sharing bill moves through House
The first two cybersecurity bills being considered in the House during "Cyber Week," CISPA and the Federal Information Security Amendments Act, passed April 26; two more bills are also up for consideration.
The House of Representatives last night voted to pass the Cyber Intelligence Sharing and Protection Act, despite privacy concerns and a White House veto threat. The House also voted to pass the Federal Information Security Amendments Act.
The bills are the first of several pieces of cybersecurity legislation being considered during what is being called House Cyber Week. Two more bills, H.R. 2096, the Cybersecurity Enhancement Act of 2011, and H.R. 3834, the Advancing America’s Networking and Information Technology Research and Development Act, are scheduled to be considered April 27.
CISPA was passed by a healthy margin of 248-168, with opposition coming primarily from the Democrats, although voting was not along straight party lines.
The bill allows the federal intelligence community to share classified cyber threat intelligence with appropriate entities in the private sector “consistent with the need to protect the national security of the United States.” It would streamline granting of security clearances for private-sector officials and also would allow voluntary sharing of threat information between companies and with government.
Companies sharing the information could restrict its use, and it could not be used for unfair business advantage. Among the controversial provisions of the bill are exemptions from liability that would shield companies from any civil or criminal action for use or misuse of information as long as they are acting in good faith.
Government would be barred from using the information for regulatory purposes, but could use it for any cybersecurity purpose or for “the protection of the national security of the United States.”
The intelligence community’s inspector general would report annually on abuses of information being gathered under the bill.
The IT industry applauded passage of the bill, which it sees as a tool to enable sharing of threat information and eliminate some liability concerns about the use of information.
The bill “unties the hands of companies on the front lines of the digital economy,” said Robert Holleyman, CEO of the Business Software Alliance. “The bill will let IT professionals share important threat information with their peers in government and in the private sector who ‘need to know’ and ‘need to act.’”
Opponents of the bill, however, criticized it as overly broad and lacking adequate protection for personally identifiable information that could be included in data being shared. There were concerns that it could open the door for improper use of the information by government, and that companies would be able to hide misuse of information behind broad liability exemptions.
The bill also has been criticized for giving the military and the intelligence community too large a role in civilian cybersecurity and not giving that role to the Homeland Security Department. For that reason, the Office of Management and Budget on April 25 released a statement saying it “strongly opposes” the bill in its current form and that senior advisers recommend its veto by President Barack Obama if it passes the House and Senate.
The Federal Information Security Amendments Act was passed by voice vote. It would amend the Federal Information Security Management Act to “provide for development and maintenance of minimum controls required to protect federal information and information infrastructure.” The bill focuses on implementation of commercial security products and would leave selection of security tools to individual agencies.
The bill would require risk-based security, a key component of which would be continuous monitoring of systems.
Cybersecurity legislation expected to be considered today includes: