Cyber Threat Protections vs. Personal Data Privacy

A controversial cybersecurity bill that would seek to improve the sharing of threat information between businesses and the government has cleared a House committee and appears headed for a debate on the floor next week.

The Cyber Intelligence Sharing and Protection Act, or CISPA, passed the House Intelligence Committee on Wednesday by a vote of 18-2, with its backers, committee Chairman Mike Rogers (R-Mich.) and Ranking Member Dutch Ruppersberger (D-Md.) stressing the urgency of updating the legal framework to shore up the defenses of sensitive digital networks in the face of mounting attacks from hackers, many seeking to steal trade secrets and other intellectual property.

"Cyber hackers from nation-states like China, Russia and Iran are infiltrating American cyber networks, stealing billions of dollars a year in intellectual property, and undermining the technological innovation at the heart of America's economy," Rogers said in a statement on the committee's passage of CISPA. "This bill takes a solid step toward helping American businesses protect their networks from these cyber looters."

The bill that passed the intelligence committee included several amendments designed to address the concerns of critics, particularly those who have warned that the measure would give a green light to businesses to funnel troves of personal information collected from their users to secretive military agencies like the National Security Agency with minimal accountability.

Privacy Rights Groups Remain Conflicted about CISPA

But those adjustments are fairly modest compared to the substantial changes that privacy rights groups like the American Civil Liberties Union and the Electronic Frontier Foundation have been seeking. They have warned that CISPA could become a pretext for an extensive government surveillance operation that could ensnare the contents of people's emails, online chats and browsing histories in the name of cybersecurity.

In an Op-Ed that appeared in Politico earlier this week, ACLU legislative counsel Michelle Richardson called CISPA "an unmitigated and unaccountable mess for Internet users' private data."

Richardson argued that the bill must be modified to state unequivocally that users should have control over how their information is collected, and that it should incorporate provisions limiting the sharing and use of data and directing companies to make every effort to remove personally identifiable information from the transmissions they share with the government.

CISPA Ammendments Don't Assuage ACLU's Privacy Objections

The amendments attached to the version of CISPA that passed the committee stopped short of those criteria, but were nonetheless intended to address some of the concerns that have clouded the bill since it first appeared in the last congress.

One amendment stipulates that businesses can only collect and share information under a CISPA mandate for cybersecurity applications, barring them from using that information for marketing or other purposes.

Other changes would bar companies from retaliatory hacking against entities that they believe have infiltrated their systems, as well as minimization provisions intended to limit the information being shared and used under the bill, and a removal of the open-ended term "national security" as an authorization for government use of data that it received from the private sector. The amended bill would also create an oversight role for federal privacy officials to review the government's data-collection and usage activities.

Reached by email Thursday morning, Richardson said that the amendments did little to assuage the ACLU's privacy objections, affirming that the group will continue to work to defeat CISPA.

"We are disappointed that the main problems with the bill were not fixed in the markup, especially the lack of civilian control [of] this new collection program and the lack of direction to companies to protect personally identifiable information," Richardson said. "We continue to oppose the bill."

Industry Groups Praise CISPA

Industry groups, meantime, praised CISPA for offering long-overdue legal protections for companies to share vital threat information. Robert Holleyman, president and CEO of BSA, a trade group representing the software industry, hailed the version of the bill that cleared committee for striking a balance that could bolster defenses against cyber intrusions while still protecting users' privacy.

"BSA particularly commends the committee's adoption of several amendments to strengthen privacy protections as the public and private sectors share information about cyber threats," Holleyman said in a statement. "BSA firmly believes that increased cybersecurity does not have to come at the expense of privacy or civil liberties. On the contrary, increased security can enhance citizens' privacy by preventing private information from ending up in the hands of cyber criminals."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for

Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Read more about cybercrime in CIO's Cybercrime Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityNational Security AgencysecuritylegalCyber Intelligence Sharing and Protection ActCISPASecurity | Cybercrimeintelcybercrimecyber threatsprivacy protection

More about BSAElectronic Frontier FoundationFacebookGoogleNational Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place