Mike Rogers (R-Mich.), chairman of the House Permanent Select Committee on Intelligence, said Monday that his cybersecurity bill has been changed to address some of the concerns of the White House and privacy advocates. But on the same conference call with reporters, bill co-sponsor C.A. Dutch Ruppersberger (D-Md.) said that the White House was not yet backing the bill.
H.R. 624, the Cyber Intelligence and Sharing Protection Act, is almost identical to their Cyber Intelligence Sharing and Protection Act (H.R. 3523) that passed the House 248-168 last April before running into a Senate controlled by Democrats favoring a bill with cybersecurity guidelines Republicans feared would morph into mandates.
Rogers said that they remained "wide open" to constructive suggestions to help "clarify" the bill, and have incorporated those into the changes, with more likely to come. H.R. 624 paves the way for more info sharing of classified government info, sharing of threat info among ISPs and other industry players or with the government on a voluntary basis, and provides liability protection for that sharing.
Rogers said they have had productive conversations with the White House, and that the improvements they will introduce at markup "address several of the administration's concerns. We plan to keep talking and moving toward a consensus that will allow us to get the bill signed into law."
Ruppersberger added that the White House "was still not behind our bill," but they are working on it to try to address their issues. "Congress needs to act now," he said.
The key changes, the legislators said Monday, are that the bill now makes it explicit that shared information can only be used to identify the online cyber threat, not for marketing and other uses privacy advocates had feared would ensue. He said that was to counter the "misperception" that private sector companies would use the info for non-cybersecurity uses.
The chages also include striking national security language, further narrowing the authorized use of info shared by the private sector. He said the issue may need to be addressed further down the line, but that it was not worth holding up the bill over.
The bill also makes clear that companies are not allowed to "hack back" to recover information stolen from them; that personal information is not being passed to the government beyond what is "necessary to understand the cyberthreat"; and that there will be plenty of oversight, including by privacy offices of individual government agencies.
Rogers said the definitions in the bill will provide for narrow authorities and will not leave room for abuse. "It is clear when you read the bill that this is not a surveillance bill. It does not allow the NSA to plug into domestic networks."
Asked whether he expected the White House to support the bill, Rogers said: "We are closer" on some issues, "and haven't gotten close on others." He said they continue to have a working dialog.
Ruppersberger said that the main issue is that both he and Rogers are willing to make changes and negotiate because the threat of cyber attacks is only growing.