CISPA Is Dead (For Now)
The Senate will not take up the controversial cybersecurity bill, is drafting separate legislation
By Jason Koebler
April 25, 2013
CISPA is all but dead, again.
The controversial cybersecurity bill known as the Cyber Information Sharing and Protection Act, which passed the House of Representatives last week, will almost certainly be shelved by the Senate, according to a representative of the U.S. Senate Committee on Commerce, Science and Transportation.
The bill would have allowed the federal government to share classified “cyber threat” information with companies, but it also provided provisions that would have allowed companies to share information about specific users with the government. Privacy advocates also worried that the National Security Administration would have gotten involved.
“We’re not taking [CISPA] up,” the committee representative says. “Staff and senators are divvying up the issues and the key provisions everyone agrees would need to be handled if we’re going to strengthen cybersecurity. They’ll be drafting separate bills.”
Sen. Jay Rockefeller, D-W.V., chairman of the committee, said the passage of CISPA was “important,” but said the bill’s “privacy protections are insufficient.”
That, coupled with the fact that President Barack Obama has threatened to veto the bill, has even CISPA’s staunchest opponents, such as the American Civil Liberties Union, ready to bury CISPA and focus on future legislation.
“I think it’s dead for now,” says Michelle Richardson, legislative council with the ACLU. “CISPA is too controversial, it’s too expansive, it’s just not the same sort of program contemplated by the Senate last year. We’re pleased to hear the Senate will probably pick up where it left off last year.”
That’s not to say Congress won’t pass any cybersecurity legislation this year. Both Rockefeller and President Obama want to give American companies additional tools to fight back against cyberattacks from domestic and foreign hackers.
But cybersecurity legislation in the Senate, such as the Cybersecurity and American Cyber Competitiveness Act of 2013, has greater privacy protections than CISPA does. Richardson says that bill makes it clear that companies would have to “pull out sensitive data [about citizens]” before companies send it to the government and also puts the program under “unequivocal civilian control,” something CISPA author Rep. Mike Rogers, R-Mich., was unwilling to do.
Even if the Senate gets something done, Rogers and other CISPA supporters will likely have to compromise more than they’ve been willing to over the past year as Obama has made it clear he will veto legislation that doesn’t have more privacy protections.
“The way [Rogers] talks, [the House] has gone as far as they possibly can on privacy,” Richardson says. “I don’t know if that’s true and I’m not sure how they’ll respond when the Senate puts something back to them. But if they don’t figure out a compromise, they might not get any legislation at all.”
The commerce representative says that the Senate committee is “working toward separate bills” to improve cybersecurity, which are currently being drafted. But don’t expect these bills soon, as the Senate considers immigration, an Internet sales tax, the aftermath of the Boston bombing and the Federal Aviation Administration’s air traffic control crisis in the wake of sequestration.
Richardson says she thinks it’ll be at least three months before the Senate takes a vote on any cybersecurity legislation.
“We need to be vigilant as the year moves on to make sure that whatever the next product is, it’s not CISPA-lite,” she says. “I think this is probably going to take the rest of the year.”