The fight over the Cyber Intelligence Sharing and Protection Act (CISPA) has just begun.
On April 18, the U.S. House of Representatives passed the bill, which aims to ease information sharing between private companies and the government, a weak spot in the nation's ability to defend itself against cyber-attacks.
The latest bill, however, trumps privacy legislation and allows companies to dodge accountability for the collection and sharing of users' information, critics say.
In fact, the fight over CISPA appears to be a battle over liability protections for corporations. Companies—from Microsoft to IBM to Facebook—have thrown their support behind the bill because of the sweeping liability protections it will grant to companies that share information, not because it will improve the nation's cyber-security, Rainey Reitman, activism director at the Electronic Frontier Foundation, told eWEEK.
"Companies don't have to worry about any other privacy law enacted to protect user privacy," she said. "They can simply share information for cyber-security purposes to the federal government ... and if they are sloppy, they don't have to worry."
The bill, originally created in 2011 and revised since then, attempts to entice companies to share more information on cyber-security incidents—such as breaches of their systems—so that government agencies can develop an accurate picture of who is attacking U.S. interests in cyberspace.
"I am very proud that so many of my colleagues were able to look past the distortions and fear mongering about this bill, and see it for what it really is—a very narrow and focused authority to share cyber-security threat information to keep America safe," Mike Rogers, R-Mich., chairman of the House Select Committee on Intelligence, said in a statement announcing the bill's passage.
Yet issues with the bill range from worries that companies will collect more information and that military and intelligence agencies will gain even more access to information on citizens' lives. In addition, the current form of CISPA fails to take adequate measures to protect privacy and hold companies liable for their actions, President Barack Obama’s administration argued in a position statement issued on April 16.
"The administration believes that carefully updating laws to facilitate cyber-security information sharing is one of several legislative changes essential to protect individuals' privacy and improve the Nation's cyber-security," the Obama administration’s position statement argued.
"While there is bipartisan consensus on the need for such legislation, it should adhere to the following priorities: (1) carefully safeguard privacy and civil liberties; (2) preserve the long-standing, respective roles and missions of civilian and intelligence agencies; and (3) provide for appropriate sharing with targeted liability protections," the statement said.
Without changes, the President has promised to veto the bill.
Companies are expecting Congress to approve the bill with its sweeping liability protections intact. U.S. House of Representatives members have received almost $68 million from companies supporting the legislation, 16 times as much money as from companies opposing the legislation. Companies have worried that sharing information with the government could result in lawsuits over breaches.
"The legislation would seek to eliminate barriers and disincentives that currently prevent effective information sharing to guard against cyber-attacks," Fred Humphries, vice president, U.S. Government Affairs, Microsoft, said in a statement after the introduction of the bill in November 2011. "This bill would enable cyber-security providers and other entities that detect cyber-threat information in the course of protecting computer networks to more easily share information with each other."
An array of civil liberties and digital rights groups stand against the bill, including the Center for Democracy and Technology, the American Civil Liberties Union and the Electronic Frontier Foundation.