House cybersecurity sponsors respond to privacy concerns

Leaders of the House Permanent Select Committee on Intelligence pledged Tuesday to amend their cybersecurity bill, the Cyber Intelligence Sharing and Protection Act, to address the main concerns raised by civil libertarians and privacy advocates. The revisions are clear improvements, and they show that the committee is trying hard to limit the measure’s scope. Nevertheless, the bill still has a fundamental problem: By encouraging network operators to share information with the government about what their customers do online, it threatens to turn ISPs and online service providers into snoops.

An array of lawmakers from both parties had filed more than 40 amendments by early Tuesday evening, occasionally in bipartisan clusters of liberty-oriented Republicans and liberal Democrats. These proposals seek to limit the type of information that could be collected and shared in the name of cybersecurity; ensure that civilian agencies were in charge of that information, not the Pentagon or the National Security Administration; require the elimination or minimization of personal information shared with and retained by the government; restrict federal agencies’ use of that information to cybersecurity and, possibly, national security; and narrow the liability protections so they applied only to actions taken to promote cybersecurity.

The amendment outlined by the committee’s chairman, Rep. Mike Rogers (R-Mich.), and its top Democrat, Rep. C.A. Dutch Ruppersberger (D-Md.), offers at least some accommodation on all these issues. It would define much more precisely the information that could be collected and shared. It would sharply narrow the uses that the feds could make of any such information, allowing only those efforts that are related to cybersecurity, protecting against serious bodily harm, safeguarding minors from kidnapping and sex crimes, and protecting national security. It would bar the feds from retaining information not related to those purposes. It would clarify that the feds wouldn’t have any new authority to install cybersecurity systems on private-sector networks. And it would narrow the liability protection so that it doesn’t apply beyond the cybersecurities activities discussed in the bill.

Nevertheless, the amendment (which still had not been filed as of this writing) apparently would not require that cybersecurity systems strip or minimize the personal information they collect before sharing it with the government. And it defines “threat” information so broadly that the collected data could include any email containing an attachment or a link. After all, that’s how hackers often spread their malware.


Hackers pose a real risk to national security and a menace to any person or business who connects to the Internet. Their tactics have improved faster than the technology to fend them off. And they’ve found a comfortable home, and even a potential sponsor, in some less-developed foreign countries. So it makes sense for Washington to try to come up with a better response. The question is what the right role for Washington might be, and how deeply it can get involved without forcing the public to trade cyber civil liberties for security.

The House is scheduled to start debating CISPA Thursday and vote Friday. The debate will then shift to the Senate, where several comprehensive cybersecurity bills await action.


Beefing up cyber security


Cloudy skies for LA’s solar efforts

AT&T in Sacramento: No defenders of the indefensible