• House Passes Cybersecurity Bill Despite Controversy
  • May 11, 2012 | Author: Anna Baker Trimble
  • Law Firm: Jackson Walker L.L.P. - Austin Office
  • Business executives and national security leaders are of one mind over the need to improve the security of computers that control elements critical to the U.S. infrastructure. But the two groups are divided over the question of who should bear the responsibility for that effort. The cybersecurity debate is complicated by the important fact that most critical elements of the U.S. infrastructure, from the electric grid to the telecommunications system, are privately held. If a U.S. adversary attacked the computer networks that control those systems, the companies that own them would have to take care of the networks themselves. Some security experts have raised questions about whether private industries are up to the challenge of defending against cyber attacks and whether the subject is getting adequate attention from corporate boards and senior executives.

    Enter Congress. In April, lawmakers introduced a variety of bills intended to bolster cybersecurity. The main difference among them appeared to be whether the government should require companies to build up their cyber defenses or just encourage them to do so.

    However, as the legislation took shape, another controversy emerged and has taken center stage.  The new debate is over privacy protections. The new cybersecurity legislation, officially named the Cyber Intelligence Sharing and Protection Act (CISPA), passed the House on a bipartisan vote of 248-168 late on Thursday, April 26, 2012. But amid concerns that the bill does not sufficiently protect individuals' privacy, the legislation ran into a significant pushback at midweek that portends further wrenching adjustments before a final bill can emerge from the Senate.

    CISPA allows private companies to voluntarily share information with certain governmental agencies including, among others, the National Security Agency in order to identify and defeat cyber attacks. The information sharing would be voluntary to avoid imposing new regulations on businesses, an imperative for Republicans.

    In addition, CISPA would:

    • Allow private companies to receive classified digital signatures and other data from U.S. government agencies, including intelligence agencies like the National Security Agency, to help identify malicious Internet traffic.
    • Give private companies (particularly, Internet service providers) the right to defend their own networks and their corporate customers — and share cyber threat information with others in the private sector and with the federal government on a voluntary basis.
    • Encourage, but not require, private companies to "anonymize" information that they voluntarily share with government and nongovernment entities.
    • Grant Internet service providers immunity from privacy lawsuits in which customer information was voluntarily disclosed as a possible security threat.
    • Grant Internet service providers and other companies antitrust protection that immunizes them against allegations of colluding on cybersecurity issues.
    • Require an independent audit of information shared with the government.

    The Obama administration prefers a Senate measure that would give the Homeland Security department the primary role in overseeing domestic cybersecurity and the authority to set security standards. However, the Senate measure is opposed by business groups because of requirements that businesses adopt measures to improve security, steps executives see as burdensome.

    The bill now goes, somewhat weakened, into a conference committee, there to be meshed with a new Senate cybersecurity bill, which is expected to be voted on next month. A final bill for the president to sign — or veto — could possibly emerge from Congress sometime this summer.