Cyber information sharing bill gets new life in House

Although last year’s efforts to pass cybersecurity legislation in Congress were repeatedly stymied by gridlock, the top Republican and Democrat on the House Intelligence Committee say 2013’s a whole new ball game.

Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), the chairman and ranking member of the Intelligence Committee, respectively, cosponsored one of several cybersecurity bills in the last Congress, the Cyber Intelligence Sharing and Protection Act (CISPA). It cleared the House, but died in the Senate in the midst of a White House veto threat.

But Rogers said he and Ruppersberger now have mended fences with the White House. Addressing the Center for Strategic and International Studies Wednesday, Rogers praised the President for issuing an executive order this week to strengthen cybersecurity, a step he said would advance the cause of the legislation. He said it also was a good thing that the President brought up the topic during the State of the Union address.

“He also acknowledged we need to pass a bill in Congress, another very good thing. It’s a tone change, and we’re wildly accepting of that change,” he said. “And the executive order, we think, takes a little bit of the pressure off of the Senate’s insistence on creating [cybersecurity] rules, regulations and standards for private infrastructure. All of that combined, I think, increases our opportunity to get a cyber information sharing bill that we all believe is important.”

And Ruppersberger said the Intelligence Committee and the White House now are actively discussing the way forward in Congress — a contrast to the environment surrounding last year’s veto threat, which the Maryland Democrat described, at the time, as a “kick to the solar plexus.”

Advertisement

“We had some issues with the White House last time, and we still don’t agree on everything. But what we do agree on is that we’re going to work together,” he said. “Our intelligence staff and the White House staff are working together now. We had a commitment again today from the White House. They will work with us because they know how serious this is.”

A more narrowly tailored bill

Rogers and Ruppersberger reintroduced CISPA Wednesday in a form they say is more narrowly tailored and that should solve the previous privacy concerns the White House and civil liberties groups expressed last year.

As opposed to the more overarching cybersecurity overhaul the Senate considered in the last Congress, the House Intelligence Committee bill focuses only on information sharing. The government’s intelligence community would be ordered to come up with a secure way of sharing classified cyber threat signatures with Internet service providers and other private sector companies. Those companies, in turn, could voluntarily share threat signatures with the government and would receive liability protection from any lawsuits that could otherwise arise from transmitting proprietary data.

But Rogers said that protection would not be a blank check to violate customer privacy. Companies, he said, would only be able to send to the government information about bona fide cyber threats, not the actual content of email messages, Facebook posts or tweets.

“If this was about content, none of this would work,” he said. “We’re not worried about content. It has to be about trying to find malicious code that’s embedded in an email or whatever, but that’s not the content. But in order to doubly make sure agencies are following the law, we’ve said the inspector general must, every year, do an audit and then report to us on how they’ve used the information, what kind of information they got, if they got it wrong, how they rectified it and properly destroyed the information, and make sure it’s not collected on government servers, which we thought was important.”

Limited use of information

In addition to oversight and an annual report by the Intelligence Community Inspector General, the revised bill would clamp down on the government’s use of any information it gets from private companies under the program. Last year’s bill, for example, would have let prosecutors use that shared information in child pornography investigations or matters relating more broadly to “national security” investigations. This year’s edition says agencies can only use the information they get from the private sector for “cybersecurity purposes.”

Nonetheless, the new bill drew criticism from at least one civil liberties group. The Constitution Project issued a statement saying it could still be used to authorize domestic spying and hand over personal information to government agencies.

“The safeguards for privacy rights and civil liberties contained in this cybersecurity bill are woefully inadequate,” said Sharon Bradford Franklin, the organization’s senior policy counsel. “While the goal of protecting our nation’s networks from cyber attacks is a laudable one, Congress must also address the very real threat this legislation poses to Americans’ privacy rights and civil liberties.”

Ruppersberger claimed he and Rogers have done all they can to solve the concerns of civil liberties watchdogs.

“We reached out, and it seemed that there was nothing we could do to change their views,” he said. “There’s just an opinion out there that the intelligence community is listening in on everybody, and believe me, they aren’t. It’s against the law for these agencies to spy on an American citizen unless we have an order from the [Foreign Intelligence Surveillance Court]. They go to jail if they don’t comply with that. We’ve bent over backwards to make sure we’re not invading anybody’s privacy, but the threats are so serious that we have to deal with them.”

Threat level is high

The threats, according to Rogers and Ruppersberger, are two-fold: intellectual property theft and the possibility of destructive cyber attacks on U.S.-based IT systems.

To the first point, Ruppersberger cited the National Security Agency’s estimate that foreign actors stole $300 billion worth of trade secrets from U.S. companies in 2012.

On the second, Rogers worries about an attack that could cause actual destruction of computing systems, similar to last year’s cyber assault on the Saudi state-owned oil company, Aramco.

“Some have argued that had the system used for that attack got a little farther out than it did before it was caught, it could have come back to impact parts of the United States, including some telecommunications companies. Some of that is still classified, but it was caught within days, not weeks, and think about how much damage that was,” he said.

“The world’s changed. We can admire this problem. We can talk about this problem. We can say we have differences of opinion on how we want to approach it, but the day has come when this kind of attack has reached the shores of the United States, and we’d better be ready for it. If not, we’re going to be picking up the pieces of what happens after an attack and I don’t think you want to see what Congress does then. We don’t do anything well after a significant emotional event.”

RELATED STORIES:

White House issues cyber order, giving NIST, DHS lead roles

Senate cyber bill is ‘dead’

House-backed cyber bills head to Senate