Cyber Intelligence Sharing and Protection Act gains personal data controls to win Obama support
The House Intelligence Committee will add privacy safeguards to a cybersecurity proposal in an effort to win support of President Barack Obama and other lawmakers, the panel's top Republican and Democrat said.
Committee Chairman Mike Rogers, a Michigan Republican, and the panel's top Democrat, C.A. "Dutch" Ruppersberger of Maryland, told reporters Monday they will support at least five amendments to the bill, which provides lawsuit immunity sought by companies including AT&T Inc. and Boeing Co.
The changes include requiring the government to minimize collection of information that could identify citizens in the process of sharing cyber threat data with the private sector, Rogers and Ruppersberger said on a phone call. The lawmakers said they also want a provision saying companies only can use cybersecurity data to protect their networks, not for marketing purposes.
"The improvements that we plan to make to the bill at the markup will address several of the administration's concerns," Rogers said. "And we plan to keep talking and moving toward a consensus that will allow us to get the bill signed into law."
The Intelligence Committee has scheduled an April 10 closed-door meeting to vote on the amendments and the measure. Obama threatened to veto the bill last year partly over privacy concerns.
The White House hasn't said whether it supports the bill with revisions, Ruppersberger said.
Privacy Protections Other changes include denying firms legal protections if they use cyber threat information to hack each other; dropping language allowing agencies to use information for national security purposes; and creating roles for the government's privacy and civil liberties board and federal privacy officers to review how information is shared and used, Rogers and Ruppersberger said.
Congress is renewing its push to improve U.S. digital defenses as warnings increase about computer attacks. A Feb. 19 report from security firm Mandiant Corp. concluded the Chinese army may be behind a hacking group that has hit at least 141 companies worldwide since 2006.
The legislation, called the Cyber Intelligence Sharing and Protection Act, passed the House 248 to 168 last April and didn't advance in the Senate, where it was blocked by Republicans who said it would lead to regulation.
Rogers has said Obama's cybersecurity executive order in February, which sets up a system of voluntary computer-defense standards for critical industries, created an opening to pass an information-sharing bill.
Many of the House bill's corporate supporters are among the top 20 contributors to Rogers' 2011-2012 campaign committee, according to the Center for Responsive Politics, a Washington- based research group. They include AT&T, Verizon Communications Inc., Boeing and Lockheed Martin Corp. employees and their families.
Ruppersberger's top contributors in the same period also include Boeing and Lockheed employees and their families, according to the center.
"With 82 percent of our company's sales derived from U.S. government customers, we naturally have interactions with virtually every standing committee in the United States Congress" that has agency oversight, Rob Fuller, a Lockheed Martin spokesman, said in an e-mail.
Michael Balmoris, an AT&T spokesman, didn't respond to a request for comment. Edward McFadden, a Verizon spokesman, declined to comment.
The American Civil Liberties Union and other advocacy groups have stoked online opposition to the House bill, saying it would allow Americans' personal data to be shared with the National Security Agency and the military. The ACLU also objected to allowing the government to use data for undefined "national security" purposes.
Michelle Richardson, ACLU legislative counsel, called the bill a "privacy disaster." Congress should focus on "smarter alternatives," she said in an interview before Rogers and Ruppersberger announced the amendments.
The proposed changes don't include putting a civilian agency such as the Homeland Security Department in charge of information sharing, a priority of privacy advocates.
Rep. Adam Schiff, a California Democrat on the committee, said he would introduce an amendment requiring companies to try to remove personal data before sharing.
Senate Action Caitlin Hayden, a White House spokeswoman, declined to comment on the House bill, referring to previous statements that cyber legislation should guard privacy, reinforce the appropriate roles of civilian and intelligence agencies, and include "targeted" liability protections for companies.
A Feb. 13 petition on the White House website protesting the Rogers bill's lax privacy protections has gathered 100,000 signatures, the threshold to trigger a White House response. Hayden declined to say how or when the White House would respond.
"The bill doesn't really go very far until the Senate has something that can match it, and they're not close to that," said James Lewis, technology program director at the Center for Strategic and International Studies in Washington.
Facebook Inc., Microsoft Corp. and some technology trade groups that endorsed the original House legislation have been more tepid this year.
Facebook, owner of the world's largest social network, said in a letter last year the legislation "helps provide a more established structure for sharing within the cyber community while still respecting the privacy rights and expectations of our users."
Asked for Facebook's current position, spokeswoman Jodi Seth said in an e-mailed statement the company is "encouraged" by the House interest and seeks a "legislative balance" that promotes information sharing and ensures the privacy of its users.