A U.S. House of Representatives committee failed to make the changes necessary to allay fears about government surveillance in a controversial cyberthreat sharing bill that's moving toward a House vote, critics said.
The House Intelligence Committee, in voting 18-2 Wednesday to approve the Cyber Intelligence Sharing and Protection Act (CISPA), did not address concerns that the bill would allow private companies to share too much customer information with government agencies in the name of fighting cyberattacks, digital rights groups said.
Committee leaders expect the full House to vote on CISPA as soon as next week.
"Cyberhackers from nation-states like China, Russia, and Iran are infiltrating American cyber networks, stealing billions of dollars a year in intellectual property, and undermining the technological innovation at the heart of America's economy," Committee Chairman Mike Rogers, a Michigan Republican and cosponsor of the bill, said in a statement. "This bill takes a solid step toward helping American businesses protect their networks from these cyber looters."
But digital rights groups said the bill still has major flaws. "The changes that were offered during the closed-door markup do nothing to address the specific concerns we've been expressing about the bill for months," said Evan Greer, campaign manager at digital rights group Fight for the Future.
The bill will allow private companies to share a wide range of customer information they deem to be related to cyberthreats with U.S. agencies like the National Security Agency, Greer said in an email.
"The version of CISPA that passed out of Committee yesterday has several amendments that make it appear better on the surface, but do nothing to address the fundamental flaw with the bill, which is that it still allows massive amounts of private user data to be shared with secretive agencies," he added. "It still provides sweeping legal protections for corporations that share our data."
If CISPA's sponsors don't want it to be a surveillance bill, they should make additional changes, Greer added. "If that's true, there's an easy fix: write that into the bill," he added.
Sponsors and some other lawmakers defended the bill, saying it provides significant privacy protections. The committee accepted an amendment from Representative Jim Langevin, a Rhode Island Democrat, that prohibits companies from counterattacking, or hacking back, against cyberattackers after digital rights groups raised concerns that the bill's language could allow such activity.
Langevin praised the bill, saying more cyberthreat information sharing is needed, but he also suggested that CISPA "is not a final solution to cybersecurity."
"While [the bill] promises to greatly improve situational awareness, information sharing alone will not allow us to prevent every attack," he said in a statement. "Our most vulnerable and valuable infrastructure must meet minimum cybersecurity standards in order to minimize the risk of a major cyberattack that could leave millions without electricity or safe drinking water for an extended period of time."