Yes, it did not generate as much grassroots online angst as the now shelved SOPA and PIPA online piracy acts. However, make no mistake about the Cyber Intelligence Sharing and Protection Act (CISPA), a.k.a. H.R. 3523, which passed the U.S. House of Representative Thursday night by a vote of 248-168.

The bill has caused a political fire storm that is not likely to subside. 

Hot potato

Who would have thought that getting legislation passed to secure the U.S. from cyber attacks could create such political chaos? This would seem like something everyone could get behind. So much for perception versus reality. 

Since most of you reading this are probably not political junkies, bear with me for a bit as I review the roots of the controversy.

Rep. Dutch Ruppersberger (D-Md.), along with Rep. Mike Rogers (News - Alert) (R-Mich.), the chairman of the House Intelligence Committee, introduced CISPA with bi-partisan support, several months ago. In short, CISPA eliminates legal barriers that prevent companies sharing information about cyber threats with the government.

While always a contentious subject due to its attempt to balance security and business interests with privacy concerns, it was not until Wednesday of this past week that the White House broke its silence on the subject to voice its opposition to the bill. That essentially adopted the arguments by privacy advocates, who believe the bill would end privacy as we in the U.S. know it. A veto is threatened. 

The case against CISPA is the contention that it allows companies to provide the federal government, upon reasonable request, the personal information they collect if the agency believes an individual poses a threat to national security. It also supersedes all other privacy laws, and there is no liability attached if the companies misuse/abuse the data. 

Amendments were added during debate on the bill, which did make some of the provisions that seemed loosely defined, as to which agencies could get access to what information. This was enough to get some Democrats to vote for the measure, cover with their big digital industry donors, but hardly mollified privacy advocates and did little to address the fundamental concerns of the White House. 

It should be noted that the Obama administration does support an alternative cybersecurity bill in the U.S. Senate, sponsored by Senator Joe Lieberman (I-Conn.) and Susan Collins (R-Maine). That bill includes significantly tougher privacy protections even compared to the amended bill that passed the House, and would set mandatory security standards for critical infrastructure, such as electrical grids, banks and telecommunication networks. 

There is one little fly in the ointment. The Senate bill has been described kindly as a “non-starter,” since Senate Republicans believe such regulation would be too onerous on the industry.

Game on

The usual suspects had the expected reactions. Early responses included one from the Business Software Alliance (BSA), who was quick out of the box to commend the House. “The bill will let IT professionals share important threat information with their peers in government and in the private sector who ‘need to know’ and ‘need to act,” said ‘BSA’s CEO Robert Holleyman. “BSA looks forward to remaining fully engaged at every stage to ensure a bill is enacted into law this year that bolsters cybersecurity while protecting civil liberties.” 

Privacy advocated on the losing side of the vote vowed to fight on. The reaction of the Center for Democracy & Technology was almost restrained compared to some but is worth a read:

“We are very pleased that those amendments were adopted, leaving the bill better for privacy and civil liberties than it was going into the process,” it said.

“However, we are also disappointed that House leadership chose to block amendments on two core issues we had long identified - the flow of information from the private sector directly to NSA and the use of that information for national security purposes unrelated to cybersecurity. Reps. Thompson, Schakowsky and Lofgren wrote amendments to address those issues, but the leadership did not allow votes on those amendments. Such momentous issues deserved a vote of the full House. We intend to press these issues when the Senate takes up its cybersecurity legislation.”

The American Civil Liberties Union (ACLU) was harsher. It too focused in on the bill’s provisions of empowering the military, including agencies like the National Security Administration (NSA), to collect Internet records of citizens everyday online activities. The ACLU argues that it is a long-established principle in the U.S. that the military is not permitted to spy on average citizens, and thus giving NSA  direct access to that information is basically Big Brother at its most feared.

“Even in the wake of the September 11 attacks and the many rewrites of our surveillance laws over the last decade, Congress has never turned the NSA loose on the internet without even minimal court and congressional oversight,” they stated. “Yet, that’s exactly what the House has now passed.”

In a statement by Michelle Richardson (News - Alert), ACLU legislative counsel, “CISPA goes too far for little reason…Cybersecurity does not have to mean abdication of Americans’ online privacy. As we’ve seen repeatedly, once the government gets expansive national security authorities, there’s no going back. We encourage the Senate to let this horrible bill fade into obscurity.”

 Where do we go from here?

The above is a really interesting question. There is an absolute consensus that cybersecurity represents  a near, clear and present danger. The press has been filled with accounts about Russian and Chinese hackers trying to compromise key national defense computers, and the Iranians have made no secret that they would enjoy a digital disaster to our critical infrastructure. It is also no secret that since 9/11, the protection of our critical infrastructure from cyber attack has not kept up with capabilities of those who wish the U.S. harm. In other words, doing nothing really cannot and should not be an option.

And because it’s an election year, doing nothing by virtue of a legislative stalemate is likely what is going to happen. Republicans will block the stricter Senate bill if it includes more regulation, and Democrats in the Senate will not pass something that ignores infrastructure or leaves oversight of privacy in the hands of civilians with avenues for citizen redress of abuse. And the Obama administration has already made it clear it will veto any bill that does not address the concerns it raised in its Wednesday statement.

Many years ago, the British came up with an expression that covers this: “a fine kettle of fish,” i.e., what an awkward state of affairs. One the one hand, cybersecurity must be addressed and there is a need for the government to monitor the activities of those who would do us harm including home-grown terrorists. On the other hand, what constitutes the proper process and oversight of information and the sharing of it between public and private entities needs to be addressed with a balanced approach.

 This will probably make nobody happy, and is unlikely in a political environment where the word “compromise” is considered a four-letter word. And even if by some miracle the Senate does pass a bill, the odds of reconciliation of it with the House bill in conference, by a Congress which has had only five such conferences in the entire two year session, that fashions something the President could sign into law are ZERO. 

At the end of the day, the problem will persist and grow greater and despite all of the hand waving and posturing the country will be worse off. A Yiddish expression says it all: OY VEY!