The battle over the Cyber Intelligence Sharing and Protection Act (CISPA) is certain to heat up over the next few weeks, as the U.S. Senate begins debate on its versions of the controversial cybersecurity legislation.
The U.S. House Thursday passed its CISPA bill in the face of a White House veto threat.
Privacy advocates and civil rights groups, which bitterly opposed the bill passed by the House, promised today to intensify their protests as the debate moves on to the Senate.
The opponents of the legislation contend that, despite late changes to the bill, it would undermine fundamental privacy protections granted to Internet users under multiple statutes, including the Federal Wiretap Act and the Electronic Communications Privacy.
Meanwhile, the scores of high technology companies and trade associations that support CISPA argue that the measure is a vital part of an effort to improve cybersecurity at a time when U.S. business, government and critical infrastructure networks face unprecedented hacker attacks.
The House version passed yesterday was introduced last November by Reps. Mike J. Rogers (R-Mich.) and Rep. C.A. Dutch Ruppersberger (D-Md.), by a vote of 248 to 168.
The bill aims to make it easier for Internet Service Provides and Internet companies to collect and share cyber threat information gleaned from their networks with federal agencies like the U.S National Security Agency.
Critics charge that the bill remains vaguely worded and would allow government agencies unprecedented access to business and private Internet communications.
The critics say the legislation would give ISPs and other Internet companies too much leeway to collect and share all kinds of user data with the government. And, they add, government agencies could use the data They say it will let federal agencies use the data for national security and other law enforcement purposes as well as to blunt cyber thieves.
The bill's backers did add late amendments to the original bill in an effort to address privacy concerns. For instance, the amendments add restrictions limiting the kind of data that can be collected and shared, and on how that data can be used.
In a statement after yesterday's vote, Rogers said the amended bill provides the federal government with the authority it needs to share cyber threat information with the private sector.
The bill "knocks down barriers to cyber threat information sharing" while ensuring privacy protections for Internet users, Rogers said. "We can't stand by and do nothing as U.S. companies are hemorrhaging from the cyber looting coming from nation states like China and Russia."
Rogers is chairman of the powerful House Intelligence Committee.
But groups such as the Electronic Frontier Foundation (EFF), Center for Democracy and Technology (CDT) and the American Civil Liberties Union said that CISPA remains a dangerous threat to online privacy even with the amendments.
The EFF condemned Thursday's vote in the House and vowed to continue its fight against in the Senate.
"Hundreds of thousands of Internet users spoke out against this bill, and their numbers will only grow as we move this debate to the Senate," said Lee Tien, EFF's senior staff attorney, in a statement. Tien added that EFF will continue opposing the bill in an effort to ensure that "Congress does not sacrifice those rights in a rush to pass vaguely-worded cybersecurity bills."
The CDT, meanwhile, is "extremely disappointed" by CISPA's passage in the House, said Mark Stanley, the public policy organization's new media manager. "We think it is a seriously flawed piece of legislation and we think the process by which it was passed is flawed," he said.
The CDTs biggest concern is that the legislation would allow private companies to share Internet communications data with the NSA without judicial oversight. The fact the data can be used for a broad range of national security purposes is disconcerting Stanley added.
Following the House vote, the focus of backers and opponents quickly shifted to two cybersecurity bills being considered by the Senate.
The Cybersecurity Act of 2012, is sponsored by Sen. Joseph Lieberman (I-CT), and the Secure IT act is sponsored by Sen. John McCain (R-AZ).
Both bills have problems said Jerry Brito, director of the Technology Policy Program at the Mercatus Center at George Mason University.
The McCain bill is closer to CISPA in language and intent than Lieberman's, which would put the United States Department of Homeland Security in charge of overseeing cybersecurity.
Like CISPA, the Secure IT act would allow private companies to collect and share a broad range of Internet user information with the NSA and several federal agencies, under the premise of cybersecurity, Brito said.
Rather than tweaking existing statutes to make information sharing easier, Secure IT, like CISPA, proposes fundamentally new rules. "It takes a scythe rather than a scalpel to privacy laws," Brito said.
Lieberman's proposal would put the United States Department of Homeland Security in charge of regulating critical infrastructure protections, he said. "I've not seen the case yet where the government needs to come in and tell private network operators how to secure their networks," Brito said.
Of the two bills, Lieberman's proposal looks the one more likely to be debated in the Senate, Brito predicted.
If and when a Senate passes a bill, it will then need to be reconciled with the House version before it lands on the President's desk. The White House on Wednesday threatened to veto the CISPA legislation in the form passed by the House.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is [email protected].
Read more about security in Computerworld's Security Topic Center.