A cybersecurity bill that riled privacy advocates when it was approved in the U.S. House of Representatives last week is looking like a non-starter in the Senate this week. And both opponents and proponents say its best chance at resurrection is to put a leash on exactly what types of information companies can share.
The Cyber Intelligence Sharing and Protection Act, or CISPA, was introduced in November by Rep. Mike Rogers, R-Michigan. The act, which passed the House easily April 18, sets standards for how digital information owned by private sector companies can be shared with government agencies to assess potential threats.
Industry leaders such as Microsoft and Google have welcomed the bill's treatment of companies -- something that wasn't included in past cybersecurity legislation such as the failed Stop Online Piracy Act -- but opponents worry the new legislation doesn't protect citizens' privacy.
CISPA would allow private sector companies to voluntarily offer government agencies information that pertains to network or system vulnerabilities; threats to the integrity, confidentiality or availability of a system or network; efforts to deny access or destroy a system or network; and efforts to gain unauthorized access to a system or network.
Companies also could choose which agencies would be able to review their data and would not be required to eliminate personally identifiable information. Government entities would be able to share information between agencies and would not be required to protect personal information.
David Segal, executive director of Washington, D.C.-based Demand Progress, expects privacy-supporting Democrats and some libertarian leaning Republicans in the Senate will most likely kill any vote.
Even if the bill encounters a supportive Senate, President Barack Obama last week vowed to veto it, citing privacy concerns and insufficient protections for utilities and other critical infrastructures.
"The sharing of information must be conducted in a manner that preserves Americans' privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive," reads a White House statement released Thursday.
Michelle Richardson, legal council for the American Civil Liberties Union, said citizens should stay alert for revamped versions of the bill being introduced in the future.
"While CISPA doesn't have a great chance of passing in the Senate, we as privacy advocates are going to have to stay vigilant to make sure 'CISPA-light' doesn't get invigorated in an effort to find compromise," she said.
Microsoft, Google, Yahoo and other tech and telecommunications heavyweights have spent $605 million in support of the bill's passage, according to the Washington, D.C.-based transparency advocate Sunlight Foundation Reporting Group.
Ms. Richardson said the bill gives industries a pass by allowing them to share personal information without threat of legal liability, something that bills such as the Stop Online Piracy Act (SOPA) did not.
A prime example of the shift in attitude for large companies is the fact that several supported an effort to block access to websites as a way to spread awareness about SOPA in January 2012, but few showed the same level of support for a CISPA-aimed blackout organized on April 22 by online activist group Anonymous.
"SOPA pitted different parts of the private sector against each other, but the Cybersecurity bill much more clearly benefits companies," Ms. Richardson said.
Although supporters argue the bill benefits the security of the nation, at least one of those proponents is looking for ways to protect both citizens and their privacy rights.
Rep. Patrick Meehan, a Republican from Pennsylvania's 7th District near Philadelphia, delivered opening remarks for Thursday's subcommittee hearing, "Striking the Right Balance: Protecting our Nation's Critical Infrastructure from Cyber Attack and Ensuring Privacy and Civil Liberties."
Mr. Meehan, one of 112 cosponsors for CISPA, did not mention the bill by name but said future cybersecurity legislation must protect citizen's rights.
"We must make clear the purpose of sharing information is to prevent cyber attacks and nothing else. We must include protections for individuals," he said.