House approves CISPA over privacy objections

The bill still needs to pass the Senate and get Obama's signature before becoming law

The U.S. House of Representatives has voted to approve a controversial cyberthreat information-sharing bill, despite opposition from the White House and several privacy and digital rights groups.

The House on Thursday voted 288-127 to approve the Cyber Intelligence Sharing and Protection Act (CISPA), a bill that would allow U.S. intelligence agencies to share cyberthreat information with private companies. It would also shield private companies that voluntarily share cyberthreat information with each other and with government agencies from privacy lawsuits brought by customers.

The bill would still need to be passed by the U.S. Senate before heading to President Barack Obama for his signature. The Senate declined to act on another version of CISPA during the last session of Congress, and earlier this week, Obama's advisors threatened a veto, although that was before the House approved a handful of amendments intended to address privacy concerns.

CISPA would allow private companies to share a broad range of customer data with each other and with government agencies, privacy groups have complained.

Supporters, however, argued the legislation is needed to encourage better information sharing about active cyberattacks, resulting in better defense of U.S. networks. Federal law now prohibits intelligence agencies from sharing classified cyberthreat information with private companies.

The bill will help protect the U.S. against cyberattacks from China, Iran and other countries, supporters said. Cyberespionage has cost the U.S. tens of thousands of jobs, as foreign companies steal the blueprints of U.S. products, said Representative Mike Rogers, a Michigan Republican and primary sponsor of CISPA.

"If you want to take a shot across China's bow, this is the answer," he said to applause on the House floor.

The bill correctly balances privacy concerns with the need for security, added Representative Dan Maffei, a New York Democrat. Rogue nations and "even independent groups like WikiLeaks" are taking aggressive measures to attack the U.S. power grid, air-traffic control systems and customer financial data, he said.

"Every day, international agents, terrorists and criminal organizations attack the public and private networks of the United States," he said. "While I do always have some concern that the U.S. government may access our private information in the cyber sphere, I am more concerned that the Chinese government will access our private information."

The House on Thursday voted for a handful of amendments to the bill intended to improve privacy protections in the bill. Lawmakers approved an amendment designating the U.S. Department of Homeland Security and U.S. Department of Justice as the primary repositories of cybertheat information shared by private companies, addressing a concern by several privacy groups that CISPA would give the U.S. National Security Agency unfettered access to customer data.

Lawmakers also approved an amendment prohibiting companies that receive cyberthreat information from others from using the data for marketing purposes. The House also approved another amendment that strictly prohibits government agencies from using the shared data to conduct surveillance on U.S. residents.

Still, some Democrats said the bill did not include enough privacy protections. CISPA does not require private companies to scrub unnecessary customer information from the data they share with each other and with government agencies, and it includes overly broad protections from lawsuits for companies that share information, said Representative Nancy Pelosi of California, the Democratic leader in the House.

Private companies can "just ship the whole kit and caboodle," Pelosi said.

Companies should ship only information that is relevant to national security, she said. "The rest is none of the government's business," Pelosi added.

A broad range of tech companies and trade groups voiced support for CISPA. "Every day, Internet service providers see and respond to a growing number of cyber threats that could cause significant economic damage and personal privacy breaches," the National Cable and Telecommunications Association said in a statement. "[CISPA] enables private companies and the government to share information that will enhance protection of our Internet infrastructure, consumers and America's economy."

Digital rights group Free Press said it was disappointed in the vote.

"CISPA would still obliterate our privacy laws and chill free expression online," policy director Matt Wood said in an email. "We need to make sure companies remove irrelevant personal information when they share our data, and that companies can be held accountable for ignoring and abusing Internet users' civil liberties."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Department of Justicefree pressNational Cable and Telecommunications AssociationU.S. Department of Homeland SecurityU.S. National Security AgencyNancy PelosilegislationprivacyMatt WoodDan MaffeiU.S. House of RepresentativessecuritygovernmentMike Rogersdata protection

More about Department of JusticeIDGNational Security Agency

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts