Mike Rogers (R-Mich.), chairman of the House
Permanent Select Committee on Intelligence, said Monday that his cybersecurity
bill has been changed to address some of the concerns of the White House and
privacy advocates. But on the same conference call with reporters, bill
co-sponsor C.A. Dutch Ruppersberger (D-Md.) said that the White House was not
yet backing the bill.
H.R.
624, the Cyber Intelligence and Sharing Protection Act, is almost identical to
their Cyber Intelligence Sharing and Protection Act (H.R. 3523) which passed
the House 248-168 last April before running into a Senate controlled by
Democrats favoring a bill with cybersecurity guidelines Republicans feared
would morph into mandates.
Rogers said that they
remained "wide open" to constructive suggestions to help
"clarify" the bill, and have incorporated those into the changes,
with more likely to come. H.R. 624 paves the way for more info sharing of
classified government info, sharing of threat info among ISPs and other
industry players or with the government on a voluntary basis, and provides
liability protection for that sharing.
Rogers said they have had
productive conversations with the White House, and that the improvements they
will introduce at markup "address several of the administration's concerns.
We plan to keep talking and moving toward a consensus that will allow us to get
the bill signed into law."
Ruppersberger
added that the White House "was still not behind our bill," but they
are working on it to try to address their issues. "Congress needs to act
now," he said.
The
key changes, the legislators said Monday, are that the bill now makes it
explicit that shared information can only be used to identify the online cyber
threat, not for marketing and other uses privacy advocates had feared would
ensue. He said that was to counter the "misperception" that private
sector companies would use the info for non-cybersecurity uses.
The
chages also include striking national security language, further narrowing the
authorized use of info shared by the private sector. He said the issue may need
to be addressed further down the line, but that it was not worth holding up the
bill over.
The
bill also makes clear that companies are not allowed to "hack back"
to recover information stolen from them; that personal information is not being
passed to the government beyond what is "necessary to understand the
cyberthreat"; and that there will be plenty of oversight, including by
privacy offices of individual government agencies.
Rogers said the definitions
in the bill will provide for narrow authorities and will not leave room for
abuse. "It is clear when you read the bill that this is not a surveillance
bill. It does not allow the NSA to plug into domestic networks."
Asked
whether he expected the White House to support the bill, Rogers said: "We are
closer" on some issues, "and haven't gotten close on others." He
said they continue to have a working dialog.
Ruppersberger
said that the main issue is that both he and Rogers are willing to make changes
and negotiate because the threat of cyber attacks is only growing.
