Critics: CISPA still a government surveillance bill

A House committee doesn't change the cyberthreat sharing bill enough to win support from some digital rights groups

A U.S. House of Representatives committee failed to make the changes necessary to allay fears about government surveillance in a controversial cyberthreat sharing bill that's moving toward a House vote, critics said.

The House Intelligence Committee, in voting 18-2 Wednesday to approve the Cyber Intelligence Sharing and Protection Act (CISPA), did not address concerns that the bill would allow private companies to share too much customer information with government agencies in the name of fighting cyberattacks, digital rights groups said.

Committee leaders expect the full House to vote on CISPA as soon as next week.

"Cyberhackers from nation-states like China, Russia, and Iran are infiltrating American cyber networks, stealing billions of dollars a year in intellectual property, and undermining the technological innovation at the heart of America's economy," Committee Chairman Mike Rogers, a Michigan Republican and cosponsor of the bill, said in a statement. "This bill takes a solid step toward helping American businesses protect their networks from these cyber looters."

But digital rights groups said the bill still has major flaws. "The changes that were offered during the closed-door markup do nothing to address the specific concerns we've been expressing about the bill for months," said Evan Greer, campaign manager at digital rights group Fight for the Future.

The bill will allow private companies to share a wide range of customer information they deem to be related to cyberthreats with U.S. agencies like the National Security Agency, Greer said in an email.

"The version of CISPA that passed out of Committee yesterday has several amendments that make it appear better on the surface, but do nothing to address the fundamental flaw with the bill, which is that it still allows massive amounts of private user data to be shared with secretive agencies," he added. "It still provides sweeping legal protections for corporations that share our data."

If CISPA's sponsors don't want it to be a surveillance bill, they should make additional changes, Greer added. "If that's true, there's an easy fix: write that into the bill," he added.

Sponsors and some other lawmakers defended the bill, saying it provides significant privacy protections. The committee accepted an amendment from Representative Jim Langevin, a Rhode Island Democrat, that prohibits companies from counterattacking, or hacking back, against cyberattackers after digital rights groups raised concerns that the bill's language could allow such activity.

Langevin praised the bill, saying more cyberthreat information sharing is needed, but he also suggested that CISPA "is not a final solution to cybersecurity."

"While [the bill] promises to greatly improve situational awareness, information sharing alone will not allow us to prevent every attack," he said in a statement. "Our most vulnerable and valuable infrastructure must meet minimum cybersecurity standards in order to minimize the risk of a major cyberattack that could leave millions without electricity or safe drinking water for an extended period of time."

Another amendment approved by the committee would limit the private sector's use of any cybersecurity information received to only cybersecurity uses. Some digital rights and privacy groups had questioned whether the bill would allow companies to use the cyberthreat information they receive for other purposes.

The committee also removed language from the bill would allow the government to use data collected under CISPA "for national security purposes," in an attempt to narrow the government's use of the information.

But Greer questioned whether that was a substantial improvement. The change is "not a real fix," he said. "The term 'cybersecurity' is so poorly defined within the bill that it does not provide meaningful limitations on what can be done with the data that's collected."

Sponsors of the bill said it contains several privacy protections. CISPA prohibits the government from forcing private sector entities to provide information to the government, and encourages the private companies to "anonymize" or "minimize" the information they voluntarily shares with the government, sponsors said.

The bill also allows individuals to sue the federal government for privacy damages, costs and attorney's fees in federal court, and it requires an annual review of the information-sharing program by the intelligence community inspector general. CISPA will sunset in five years.

Still, Representative Adam Schiff, a California Democrat , said he was disappointed that the committee rejected his amendment that would have required companies to make reasonable efforts to remove unrelated private information from the cyberthreat information they share.

"It is not too much to ask that companies make sure they aren't sending private information about their customers, their clients, and their employees to intelligence agencies, along with genuine cyber security information," he said in a statement.

Among the groups voicing support for the bill were the BSA and the Software and Information Industry Association, both software trade groups. CISPA would "provide the critical necessary framework for early detection and notification of cybersecurity threats," the SIIA said. 

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. National Security AgencylegislationJim LangevingovernmentMike RogersExploits / vulnerabilitiesFight for the FutureSoftware and Information Industry AssociationprivacyAdam SchiffBSAU.S. House of RepresentativessecurityEvan Greer

More about BSAIDGIslandNational Security AgencySoftware and Information Industry Association

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts