CISPA, the ill-conceived piece of US legislation on information sharing and cybersecurity, is back. Yesterday, the Intelligence Committee of the US House of Representatives held a hearing on cybersecurity, under the banner of “Advanced Threats Facing Our Nation.” The committee, chaired by Republican congressman Mike Rogers, heard testimony from representatives of the financial, energy, corporate, and security industries. No representative of the civil liberties or privacy community was invited to testify.
Rogers and Dutch Ruppersberger, the ranking Democratic congressman on the committee, used the hearing to advocated for their co-sponsored and recently reintroduced Cyber Intelligence Sharing and Protection Act, or CISPA, while largely glossing over the concerns of privacy and civil liberties advocates. Arguing that the cybersecurity threats were both imminent and catastrophic, the assembled experts–hand picked by Rogers and Ruppersberger–testified for the need for the bill, which grants broad information sharing powers from the private sector to government agencies.
Throughout the hearing, Rogers and Ruppersberger defended the bill as strong on privacy and civil liberties, a position that is directly at odds with the analysis offered by US civil liberties and privacy groups, including the ACLU and EFF. Without inviting any privacy expert to testify, Rogers dismissed the concerns of the collective civil liberties community, stating, “I think candidly, there’s this huge gap between what they think what happens and what happens,” a view echoed by the assembled industry representatives, who repeatedly asserted no personally identifiable information would be shared.
Democratic congressman Adam Schiff pushed back on these statements, asking whether industry participants in the proposed information sharing program would take further steps to protect privacy. Schiff, who voted against CISPA on the floor of the house last year, announced after the hearing that was considering proposing a set of privacy-enhancing amendments. However, his intention to model them on 2012’s flawed proposed Senate cybersecurity legislation raised questions as to whether those amendments would go nearly far enough.
Last year, the Obama administration threatened to veto the original CISPA, citing significant privacy concerns. So far, the White House has refused to say whether it would offer a similar veto threat, citing a policy of not commenting on legislation under development–despite the fact that the reintroduced bill is identical to the one that failed in 2012.
Meanwhile, the White House has been busy on cybersecurity, issuing an executive order on Tuesday that directs information sharing on critical threats from government to the private sector. Although the order offers significantly better privacy protections than CISPA, Access believes it also raises concerns about transparency and the possibility of future information sharing from companies to government agencies.
On Tuesday night, President Obama used the annual State of the Union address to call for cybersecurity legislation, asking Congress to pass bipartisan “legislation to give our government a greater capacity to secure our networks and deter attacks.” This, along with statements from Ruppersberger that this latest effort includes ‘working with the White House,’ raises concerns that “CISPA 2.0” may get a pass this time around.