The cable-backed cybersecurity bill HR 3523, the Cyber Intelligence Sharing and Protection Act, passed the House of Representatives 248 to 42 late Thursday with various amendments to make it more palatable to privacy groups and Democrats. It faces even further modifications in the Senate, its Republican backers conceded, and will need them if it is to avoid a veto threat by the White House issued earlier this week.
Passage, which included more than 40 Democratic ayes, followed a generally respectful, but extensive daylong debate, first on amendments then on the underlying bill.
The bill allows for government sharing of cyberthreat information with industry, and vice versa, subject to some restrictions, though not enough for privacy groups.
Among the amendments agreed to, is sunsetting the bills provisions in five years, which means it will get a review and have to be renewed. There were also amendments to narrow the definitions in the bill and make it clear that the information being shared between industry and government can be FOIA'd, subject to the usual exemptions.
But bill opponents, including privacy groups and many Democrats, are still concerned about the bill's liability protections for companies they say encourage them to dump data, including personal data, on the government, the extent to which the government can use that information, and the rubric of "national security" that could cover a multitude of perceived sins.
Companies are encouraged, but not required, to delete personal information identifiers from any info they share.
Bill critics talked about the bill sweeping away privacy protections and empowering government spying, charges that appeared to frustrate Republican bill backers who maintained it was a narrow bill and that it was time to take a first step, suggesting there would be opportunity for more refinements and narrowing before it made it to the President's desk.
By late Thursday, the criticisms of a bipartisan bill that had passed 17 to 1 out of the House Intelligence Committee started sounding like the pushback on another bipartisan online bill that gave government more power and industry more liability protections, the Stop Online Piracy Act (SOPA). SOPA was eventually deep-sixed.
In fact, several legislators went out of their way to say this was not a repeat of SOPA, including pointing out nothing in the bill allows the government to block Web sites or movie downloads. "This is not SOPA," said Rep. Dutch Ruppersberger (D-Md.), co-sponsor of the bill.
The bill does not include a final amendment, a provision preventing an employer from asking for a Facebook or Twitter password as a condition of employment. It was not directly related to the bill, but is an issue that has been in the news and on some legislators' minds for weeks now, and was pushed by Rep. Ed Perlmutter (D-Colo.).
Bill co-sponsor Mike Rogers (R-Mich.) expressed frustration that the amendment was offered, saying it was another one of the "kitchen sink" items opponents had thrown at a bill he was attempting to keep as narrow as possible.
CISPA's passage means House Republicans can say they have passed cybersecurity legislation and the ball is now in the Democratically controlled Senate's court, a point they will likely make the next time Anonymous hacks into a high-profile web site