Three months have passed since the White House released its Executive Order (EO) on Cybersecurity and, as cyber attacks continue to pose an imminent threat, the focus has shifted to Congress to take legislative action. From the recent debate on the Hill, it is apparent the critical element for successful legislation is striking the delicate balance between ensuring the security of the country’s infrastructure while protecting an individual’s privacy concern to not have their personal information shared with government agencies.
Last month, the House passed Cyber Intelligence Sharing and Protection Act (CISPA). It is essentially the same bill passed in last year’s House that was reintroduced in February following the White House’s release of the EO. CISPA creates a voluntary process for private sector entities to provide the government with cyber threat information. Many telecom and technology entities support the bill’s broad liability protections for private entities sharing threat data with the government and consider it a powerful tool for the private sector to improve the security of their networks.
Privacy groups, however, have criticized CISPA claiming the bill including inadequate consumer privacy protections and the White House stated it would veto the bill. Some have claimed the bill flies in the face of constitutional protections against search and seizure and creates an avenue for the government to receive personal information without a warrant. The House Intelligence Committee attempted to dispel the mounting privacy concerns by adding five amendment including measures that direct all cyber threat information from private sector entities to agencies within DHS and DOJ to handle it confidentially and limits the use of all information to cybersecurity and national security interests. The added amendments did little to satisfy the privacy concerns.
Having passed in the House, CISPA now faces the Senate but is unlikely to ever reach a vote. Senator Rockefeller, Chairman of the Senate Commerce Committee, announced that while passage of CISPA was “important” the privacy protections were “insufficient”. The Senate Commerce Committee is instead working to gain bipartisan agreement on a bill that can pass in both the House and Senate, but the Commerce Committee has not yet to release a draft cybersecurity bill.
The debate over privacy considerations raises the question of the importance of personally identifiable information in connection with the collection and distribution of information associated with cyber threat activity. One perspective may be that, if it were easy to disassociate the personally identifiable information from the balance of the cyber threat activity data, it is likely CISPA would have resolved the privacy concerns. Regardless of the reasoning, one thing is certain: CISPA may have passed in the House, but the debate over cybersecurity legislation is far from over.