House Passes CISPA

April 26, 2012. The House amended and passed HR 3523 [LOC | WW], the "Cyber Intelligence Sharing and Protection Act of 2011" or "CISPA", a bill that would incent cyber threat information sharing, and surveillance. The vote on final passage was 248-168. See, Roll Call No. 192.

Rep. Mike Rogers (R-MI), lead sponsor of the bill, and Chairman of the House Intelligence Committee (HIC), stated that "We can’t stand by and do nothing as U.S. companies are hemorrhaging from the cyber looting coming from nation states like China and Russia. ... America will be a little safer and our economy better protected from foreign cyber predators with this legislation." See, HIC release.

Rep. Jim Langevin (D-RI), a member of the HIC, voted for the bill. He stated that this bill "will allow the government to provide classified information threat signatures to the private sector and also allow the private sector to share with us the cybersecurity attacks that they are experiencing, sharing that with the government so we have better situational awareness."

He added that this "bill is a good step, but it's only a first step". He said that in addition legislation is needed that "establishes minimum standards for the cyber systems that govern our critical infrastructure, particularly the electric grid and our water systems". See, statement.

Rep. John Dingell (D-MI), who voted against the bill, stated that it "grants private entities that share information with the government exemption from liability. The bill also permits the government to use information received from private entities for purposes other than preventing cyberattacks. I cannot vote in good conscience to grant the authorities H.R. 3523 would vest in the federal government for fear of undermining Americans’ cherished civil liberties, which I have defended for my entire career in Congress." See, release.

Rep. Joe Barton (R-TX), who voted against the bill, read aloud the 4th Amendment of the Constitution on the House floor. See, video [You Tube]. He added that "The solution is worse than the problem they are trying to solve."

Rep. Zoe Lofgren (D-CA), who voted against the bill, spoke about cyber security at a Washington conference hosted by the Computer and Communications Industry Association (CCIA) on April 26. She said that the bill provides a role for the National Security Agency (NSA) in civilian life.

Rep. Jim Sensenbrenner (R-WI) also voted against the bill. He is a former Chairman of the House Judiciary Committee (HJC) who led House efforts to pass the USA PATRIOT Act in 2001, and then efforts to amend it extend its sunsetted provisions.

The Center for Democracy and Technology (CDT) stated in a release that it "is disappointed that CISPA passed the House in such flawed form and under such a flawed process".

It added that it is "disappointed that House leadership chose to block amendments on two core issues we had long identified -- the flow of information from the private sector directly to NSA and the use of that information for national security purposes unrelated to cybersecurity. Reps. Thompson, Schakowsky, and Lofgren wrote amendments to address those issues, but the leadership did not allow votes on those amendments.  Such momentous issues deserved a vote of the full House. We intend to press these issues when the Senate takes up its cybersecurity legislation."

Obama Administration. President Obama might veto this bill as passed by the House.

The Executive Office of the President (EOP) released a "Statement of Administration Policy" or SAP on April 25 that states that "the Administration strongly opposes H.R. 3523, the Cyber Intelligence Sharing and Protection Act, in its current form", and "if H.R. 3523 were presented to the President, his senior advisors would recommend that he veto the bill".

See, EOP statement and story titled "Obama EOP Opposes CISPA" in TLJ Daily E-Mail Alert No. 2,379, April 24, 2012.

Daniel Weitzner of the EOP and NTIA spoke about cyber security at the CCIA conference on April 26. He said that "we don't want to see a militarization of cyber space". He advocated information sharing, but also said that liability limitations should not create "lawlessness", and that the bill should not "sacrifice privacy and civil liberties".

Senate. The Senate has not yet passed this bill.

Sen. Mark Warner (D-VA) also spoke about cyber security at the CCIA conference on April 26. He stated that legislation that addresses cyber security "only on a voluntary basis" worries him. He said that there should also be standards.

Sen. Warner also warned that if there is a successful cyber attack on critical infrastructure in the US, "there would be an over reactive legislative response".

Sen. Charles Grassley (R-IA) spoke about cyber security at the Senate Judiciary Committee's (SJC) executive business meeting on April 26. He referenced the EOP's SAP, and said that "One of the major reasons the statement was allegedly issued was that the bill ``fails to provide authorities to ensure that the Nation's core critical infrastructure is protected.´´ In other words, the President won't sign the bill into law because it doesn't give DHS the power to regulate the private sector."

He continued that "I have been skeptical of giving DHS the power to regulate cybersecurity from the outset. But, I do believe the threat to our country from cyber-attacks is real. That is why I have cosponsored S.2151, the SECURE I.T. Act. This legislation will enhance cybersecurity without creating a new bureaucracy at DHS and without stifling innovation in the private sector with burdensome new regulations." See, S 2151 [LOC | WW] and Sen. Grassley's statement.

He said that given the Department of Homeland Security's (DHS) failure to approve any chemical facility's site plan under the Chemical Facility Anti-terrorism Standards (CFATS), it should not be given regulatory authority with respect to cyber security standards. He said that "Based upon the failures of CFATS" and "Absent proof, and not just assurances, that the problems are fixed, we should not even consider giving DHS another ounce of regulatory authority or additional layers of bureaucracy to deal with Cybersecurity."

Positive Reaction to CISPA Passage. Walter McCormack, head of the US Telecom, applauded passage of the CISPA. See, release.

Robert Holleyman, head of the Business Software Alliance (BSA), stated in a release that this bill "is critical because it unties the hands of companies on the front lines of the digital economy. The bill will let IT professionals share important threat information with their peers in government and in the private sector who 'need to know' and 'need to act.'"

Negative Reaction to CISPA Passage. The American Civil Liberties Union (ACLU) stated in a release that the CISPA "would allow companies to share private and sensitive information with the government without a warrant and without proper oversight. CISPA also gives companies the authority to share that information with the National Security Agency or other element of the Department of Defense."

Matt Wood of the Free Press stated in a release that "CISPA is a dangerous piece of legislation and it’s worrisome that the House has passed such an overreaching bill. The bill still lacks effective oversight and accountability for companies and government agencies collecting massive amounts of our personal data. It would curtail Internet openness and freedom by stripping away crucial privacy protections, and without providing any guarantee of protection for critical infrastructure."

The Electronic Frontier Foundation (EFF) stated in a release that the CISPA "would allow companies to bypass all existing privacy law to spy on communications and pass sensitive user data to the government. EFF condemns the vote in the House and vows to continue the fight in the Senate."

The EFF's Rainey Reitman stated in this release that "We will not stand idly by as the basic freedoms to read and speak online without the shadow of government surveillance are endangered by such overbroad legislative proposals".