The House on Thursday evening approved a bill that requires elements of the intelligence community to share information about cyber security threats with certified entities in the private sector, opening the door to what proponents of the bill hope will be improved information sharing between the private sector and the intelligence community on cyber threats.
The Cyber Intelligence Sharing and Protection Act (CISPA), H.R., 3523, also says that the private sector can share threat data with other certified entities as well as the federal government, although such sharing is not mandatory.
The bill had a measure of bipartisan support, with 42 Democrats joining 206 Republicans to pass the bill 248 to 168. In opposition, 140 Democrats were joined by 20 Republicans.
CISPA was sponsored by Rep. Mike Rogers (R-Mich.), chairman of House Permanent Select Committee on Intelligence, and Rep. Dutch Ruppersberger (D-Md.), the ranking member.
While the bill calls for the intelligence community to establish the guidelines for sharing cyber threat data with the private sector, the key provision in the bill that may better enable the voluntary sharing of information by certified private entities with the federal government and other certified public sector firms is a clause on liability protection. That clause protects certified entities against civil and criminal lawsuits in federal and state courts over information shared for national security purposes.
The bill doesn’t prevent private entities from sharing personal data with the federal government, which is a source of contention around the legislation, but does say that appropriate safeguards must be taken including “appropriate anonymization or minimization” of shared information.
Rep. James Langevin (D-R.I.), who backed CISPA, said that two-way information sharing on cyber threats will give the government better situational awareness although he added that the voluntary sharing of information is “helpful…but it does not on its own constitute strong cyber security.” He also said the bill offers stronger privacy protections than originally proposed.
CISPA is narrow in scope and doesn’t address authorities that the White House as well as others in Congress wants outlining the Department of Homeland Security’s role in working with the private sector and the rest of the federal government on sharing information about cyber security and creating and enforcing minimum security standards within the private sector.
In a statement on Friday, four senators that have crafted comprehensive cyber security legislation applauded the passage the CISPA and several other bills in the House but also cited shortcomings.
“We are troubled House leaders blocked consideration of protections for critical infrastructure systems, ignoring the advice of our military and intelligence leaders as well as most cyber security experts,” Joseph Lieberman (I/D-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-W. Va.), and Dianne Feinstein (D-Calif.), said. The senators are referring to the lack of any type of minimum security standards required of critical infrastructure owners and operators in the House legislation.
The Cyber Security Act of 2012, introduced in February by the four senators, does require the establishment of minimum cyber security requirements for critical infrastructure. Their bill is expected to be brought to the Senate floor this year.
Also on Thursday evening, the House passed by voice vote a bill that would update the Federal Information Security Management Act by requiring federal agencies to take a more dynamic and flexible approach to monitoring the security of their respective networks.
The Federal Information Security Amendments Act of 2012, H.R. 4257, calls for autonomous and continuous monitoring in near-real time or real time of agency information systems. Current law provides a sort of “check-the-box” mentality of providing network security monitoring whereas the new legislation allows agency to take a risk-based and flexible approach to protecting their networks, one industry official told Defense Daily.
On Friday, the House approved two additional cyber security-related bills that call for federal agencies to develop strategic plans to better tailor how research and development on cyber security spending should be prioritized.
The Cybersecurity Enhancement Act of 2011, H.R. 2096 requires agencies to update strategic plans every three years for guiding the overall direction of federal spending on cyber security and information assurance. The bill would also require the president to report on the cyber security workforce needs of the federal government. The bill was approved 395-10.
The Advancing America’s Networking and Information Technology Research and Development Act of 2012, H.R. 3834, directs federal agencies researching and developing information technology to also develop strategic plans. The measure passed by voice vote.