A Maryland Congressman is resurrecting his much-proposed, never-passed cybersecurity bill that would allow private companies and individuals to share data with intelligence agencies. This time is different for Rep. C.A. Dutch Ruppersberger (D-Baltimore), though, because of a White House proposal that looks awfully similar to what he’s been proposing for the past several years.
Shortly after the New Year, Ruppersberger re-introduced the Cyber Intelligence Sharing and Protection Act (CISPA). The new bill is identical to a version that was passed by the House last year.
The bill lays out a framework that would allow data sharing of potential threats between “protected entities,” which include corporations, government entities or others that either have a security clearance, or have shown that they can protect cyberintelligence. It also offers a measure of legal immunity to the companies who opt to share the data, essentially meaning they can’t be sued even if the data doesn’t turn out to be connected to a threat.
In introducing the latest version, Ruppersberger, whose district includes the NSA headquarters at Ford Meade, invoked the recent Sony hack. He said the bill would help businesses “proactively prevent attacks” before they happen.
Past versions of the bill have run into opposition from privacy advocates, who argue that the network established by the bill could result in the government ending up with information that has nothing to do with cyber threats. In response, Ruppersberger told Technical.ly Baltimore in 2013 that the information won’t allow the government to monitor emails or computers, and that the sharing program is “entirely voluntary” for the companies.
One key player in seeing the bill through to passage, however, has changed sides — somewhat.
Though the bill has passed the House in 2013, President Barack Obama threatened to veto it. He then issued an executive order on cybersecurity that allowed for one-way data information sharing from companies to the government, but didn’t authorize the network envisioned by CISPA.
In the wake of the Sony hack, the President’s thinking may have changed. At this week’s State of the Union, the President spoke about a package of legislative proposals that “encourages the private sector to share appropriate cyber threat information” with intelligence agencies, and offer “liability protection.” It even encourages the private sector to set up their own organizations, which will also receive the data that is shared.
Sound familiar? It does to the key players in the CISPA debate.
“The President’s proposal looks a lot like the bill I introduced along with former Republican Intelligence Committee Chairman Mike Rogers, the ‘Cyber Intelligence Sharing and Protection Act,’ a bill that has twice passed the House of Representatives with wide bipartisan margins,” Ruppersberger said in a statement released after the White House proposal came out.
Ruppersberger said he mostly agrees with the proposal, but still wants to see a few additional issues ironed out as the President’s proposal makes its way through the legislative process. In other words, CISPA is still on the table.
According to spokeswoman Jaime Lennon, Ruppersberger disagrees with the President about how to remove Personally Identifiable Information (PII) from the data. Companies claim that removing the information would be expensive, and fear they will lose liability protection if they do it wrong, Lennon said. As a result, Ruppersberger advocates that the government remove the info. Under the White House proposal, the companies would remove the PII, and liability protection is contingent on the removal of the data.
Ruppersberger also has concerns about Obama’s proposal for targeted liability protection for sharing data with the National Crime Information Center.
“During our due diligence, many companies argued against this because it means they can no longer go through FBI, Secret Service, etc., even if they have a pre-existing relationship,” Lennon said in an e-mail.
With these issues outstanding, CISPA is still on the table. However, Ruppersberger said he is willing to work through the issues.
The Electronic Frontier Foundation, a consistent critic of CISPA, also saw the similarities, and couldn’t help but point out Obama’s past position.
“Given that the White House rightly criticized CISPA in 2013 for potentially facilitating the unnecessary transfer of personal information to the government or other private sector entities when sending cybersecurity threat data, we’re concerned that the Administration proposal will unintentionally legitimize the approach taken by these dangerous bills,” a Foundation statement said.
Knowledge is power!
Subscribe for free today and stay up to date with news and tips you need to grow your career and connect with our vibrant tech community.