The House passed cybersecurity legislation Thursday that the White House has threatened to veto.
The Cyber Intelligence Sharing and Protection Act (CISPA), HR 3523, would allow the government and industry to voluntarily share information about malicious attacks and viruses. Companies that share information under the bill's provisions would be granted legal protections if they are subject to a cyber attack.
Laws currently prohibit intelligence agencies from sharing classified cybersecurity information with companies like AT&T, Verizon and Comcast, said Rep. Dutch Ruppersberger, D-Md., the House Intelligence Committee's ranking member and co-author of the bill. But the White House and privacy advocates warn that the bill does little to prevent the National Security Agency and other government entities from gaining access to company data such as citizens' personal information and communications records that could be used for purposes other than cybersecurity.
The administration and many House Democrats said the bill would not require private operators of the nation's most critical infrastructure to improve security or respond to cyber threat information provided by the government.
Senior administration advisers recommend the president veto the bill in its current form.
Sens. Joe Lieberman, I-Conn., Susan Collins, R-Maine, Jay Rockefeller, D-W.Va., and Dianne Feinstein, D-Calif., issued a joint statement rejecting the House bill because it doesn't address cyber vulnerabilities in the nation's critical systems.
Under a bill sponsored by Lieberman, certain companies operating the nation's electric grid, water supply and other critical systems would have to meet cybersecurity standards approved and enforced by the Department of Homeland Security and share with the government all instances when they come under cyber attack.
"We look forward to debating and passing that bill so that we can conference with the House and produce legislation that secures the most critical systems on which all American people and businesses depend each day," the senators said in a statement.
Rep. Mike Rogers, R-Mich., chairman of the House Intelligence Committee, said the House bill would not create new authorities for agencies or allow government surveillance.
"I wish people would read the bill, all of it," he said in response to sharp criticisms. "America will be a little safer and our economy better protected from foreign cyber predators with this legislation," Rogers said in a statement.
Several companies, including Facebook, the U.S. Chamber of Commerce and industry group TechAmerica support the bill.
The approved bill included amendments prompted by concerns from privacy advocates like the Center for Democracy and Technology. For example, it prohibits the government from using personal documents, such as library book records, tax returns and firearm sales records for purposes not designated by the bill.
The bill also:
• Requires that the government only use shared information for cybersecurity, investigation and prosecution of cybersecurity crimes, protection of individuals and minors, and national security.
• Requires that regulatory information already required to be provided remain accessible under the Freedom of Information Act.
• Sunsets the bill five years after it is enacted, unless Congress renews it.
The House also passed HR 4257, the 2012 Federal Information Security Amendments Act, which would require agencies to continuously monitor the security of federal information systems. The bill would also require agencies to appoint a chief information security officer or senior official to oversee information security programs and enforce compliance.