The U.S. House of Representatives took a step toward lowering the threat of cyber attacks on private and government entities Thursday afternoon by approving a bill that outlines how companies and the government can share information about such attacks.
The Cyber Intelligence Sharing and Protection Act, or CISPA, would let companies receive valuable government intelligence about cyber threats and protect them from legal liability for possible breach of customer privacy if they share their own threat data with the government. The House passed it 288-127.
“The issue here is that cybersecurity is a public-sector problem, and they have to figure out how to stop it, but the attack vector is the private sector,” said Andrew Serwin, a partner in the global privacy and data security practice group at law firm Morrison & Foerster. In other words, hackers won’t hack the CIA to take down the power grid, but rather would go after private companies that run the power grid. “Government agencies need to fight the threat, but they don’t have control of the systems where the attacks are going to happen,” said Serwin. “What CISPA tries to address is information sharing between public and private entities.”
Cybersecurity has emerged as a key concern among both public and private entities as cyber attacks have become increasingly frequent. A study released Thursday by security company Symantec found a 42 percent increase in the number of cyber attacks detected in 2012 compared to 2011. President Obama issued an executive order in January to strengthen cyber defenses and promote the sharing of information related to security threats.
But privacy advocates, including the American Civil Liberties Union, have opposed the bill for its broad limitations on liability, which they feel could undermine legal safeguards for Americans’ privacy. On Tuesday the Obama Administration issued a statement that threatened to veto the bill should it be passed in its current form, citing concerns that it isn’t strict enough in requiring private companies to remove irrelevant personal information when sending cybersecurity data to the government. The president threatened to veto a similar bill over the same concerns about a year ago. That bill eventually died in the Senate.
On Wednesday, CISPA’s sponsors proposed to amend the bill, addressing the issues brought up by the Administration and privacy advocates. It would ensure that the Department of Homeland Security, a civilian agency, would be the first recipient of cyber-threat data from companies.
“I think that this proposal is an important move that should help address the privacy concerns that have been raised by the advocates and also the Administration,” Serwin asserted. “Citizens must realize cybersecurity is as important as physical security. This is both a massive economic issue and a public-safety issue. It’s not companies wanting to give information to the government for no reason.”
The House on Thursday morning approved another amendment that addressed the need for accountability and oversight in protecting civil liberties, including the proposal of an annual report created by the Homeland Security’s Office of Inspector General that would review the information shared between companies and the government.
Rep. Dan Maffei (D-NY), one of 92 democrats who voted in support of CISPA, noted before the vote that he had opposed the Patriot Act over concerns for civilian privacy, “but this is a different case. I’m more concerned the Chinese government will steal our private information than our own government.”
CISPA will have to overcome the President’s veto threat and pass in the Senate to get any farther than its last incarnation, but Serwin hopes the CISPA’s passage in the House will remove the stigma surrounding the disclosure of cyber attacks by companies, and encourage them to be more forthcoming in reporting security breaches and other threats.
“People have to realize that no one is perfect and everyone is vulnerable in some way,” he said. “Sharing information even internally in a company is a good business practice with appropriate controls. If companies don’t know what other companies know, it’s impossible to know if a threat is a major problem or just a one-off attack.”