The U.S. House of Representatives has voted to approve a controversial cyberthreat information-sharing bill, despite opposition from the White House and several privacy and digital rights groups.
The House on Thursday voted 288-127 to approve the Cyber Intelligence Sharing and Protection Act (CISPA), a bill that would allow U.S. intelligence agencies to share cyberthreat information with private companies. It would also shield private companies that voluntarily share cyberthreat information with each other and with government agencies from privacy lawsuits brought by customers.
The bill would still need to be passed by the U.S. Senate before heading to President Barack Obama for his signature. The Senate declined to act on another version of CISPA during the last session of Congress, and earlier this week, Obama's advisors threatened a veto, although that was before the House approved a handful of amendments intended to address privacy concerns.
CISPA would allow private companies to share a broad range of customer data with each other and with government agencies, privacy groups have complained.
Supporters, however, argued the legislation is needed to encourage better information sharing about active cyberattacks, resulting in better defense of U.S. networks. Federal law now prohibits intelligence agencies from sharing classified cyberthreat information with private companies.
The bill will help protect the U.S. against cyberattacks from China, Iran and other countries, supporters said. Cyberespionage has cost the U.S. tens of thousands of jobs, as foreign companies steal the blueprints of U.S. products, said Representative Mike Rogers, a Michigan Republican and primary sponsor of CISPA.
"If you want to take a shot across China's bow, this is the answer," he said to applause on the House floor.
The bill correctly balances privacy concerns with the need for security, added Representative Dan Maffei, a New York Democrat. Rogue nations and "even independent groups like WikiLeaks" are taking aggressive measures to attack the U.S. power grid, air-traffic control systems and customer financial data, he said.
"Every day, international agents, terrorists and criminal organizations attack the public and private networks of the United States," he said. "While I do always have some concern that the U.S. government may access our private information in the cyber sphere, I am more concerned that the Chinese government will access our private information."
The House on Thursday voted for a handful of amendments to the bill intended to improve privacy protections in the bill. Lawmakers approved an amendment designating the U.S. Department of Homeland Security and U.S. Department of Justice as the primary repositories of cybertheat information shared by private companies, addressing a concern by several privacy groups that CISPA would give the U.S. National Security Agency unfettered access to customer data.
Lawmakers also approved an amendment prohibiting companies that receive cyberthreat information from others from using the data for marketing purposes. The House also approved another amendment that strictly prohibits government agencies from using the shared data to conduct surveillance on U.S. residents.
Still, some Democrats said the bill did not include enough privacy protections. CISPA does not require private companies to scrub unnecessary customer information from the data they share with each other and with government agencies, and it includes overly broad protections from lawsuits for companies that share information, said Representative Nancy Pelosi of California, the Democratic leader in the House.
Private companies can "just ship the whole kit and caboodle," Pelosi said.
Companies should ship only information that is relevant to national security, she said. "The rest is none of the government's business," Pelosi added.
A broad range of tech companies and trade groups voiced support for CISPA. "Every day, Internet service providers see and respond to a growing number of cyber threats that could cause significant economic damage and personal privacy breaches," the National Cable and Telecommunications Association said in a statement. "[CISPA] enables private companies and the government to share information that will enhance protection of our Internet infrastructure, consumers and America's economy."
Digital rights group Free Press said it was disappointed in the vote.
"CISPA would still obliterate our privacy laws and chill free expression online," policy director Matt Wood said in an email. "We need to make sure companies remove irrelevant personal information when they share our data, and that companies can be held accountable for ignoring and abusing Internet users' civil liberties."
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is [email protected]