Last Thursday, the House Intelligence Committee held a hearing that focused on the Cyber Intelligence Sharing and Protection Act (CISPA)—the reintroduced privacy-busting cybersecurity bill
from last year that would allow the private sector to share Americans'
private information with the government, including agencies within the
Department of Defense (DoD), such as the National Security Agency (NSA).
Despite failing to include a single privacy expert, the hearing returned to privacy and civil liberties issues repeatedly. Interestingly,
corporate representatives—perhaps to the surprise of CISPA's
sponsors—said repeatedly that the private sector generally does not need
to share Americans' personally identifiable information (PII) with the
government to advance cybersecurity. For example,
Rep. Mike Thompson,
D-Calif., questioned a witnesses on how to amend CISPA to protect PII.
The witness, Paul Smocer from the Financial Services Roundtable, replied
that "the kind of information we're talking about sharing here seldom,
if ever, actually does contain any private information." He also added
that he'd be "willing to work with" Thompson to improve CISPA's privacy
Rep. Adam Schiff, D-Calif., then followed up with similar privacy
concerns, asking whether it would be an "insurmountable burden for the
private sector to have to take reasonable steps to minimize [PII]."
Smocer again said that "there is very little private data, PII, being
exchanged today in the threat information world," and that he didn't
"think it would be an issue to make sure that we're doing it the right
way." Ken DeFontes, president of Baltimore Gas and Electric, added "I
think it's an absolute necessity." And John Engler, president of the
Business Roundtable, echoed their sentiments, saying "I think it's
Despite this, the bill's sponsors, Reps. Rogers, R-Mich., and Ruppersberger, D-Md., crafted CISPA to immunize
companies from liability for sharing private information like internet
records, communications content, and identifying information. The bill
sponsors also tried to establish that the government, and not the
private sector, is best positioned to anonymize data—but the witnesses
would not change their answers. Smocer said that companies are in the
best position to protect customer data, that the added cost wouldn't be a
deterrent, and reminded everyone how infrequently PII needs to be
shared in the first place. Kevin Mandia, the panelist representing the
cybersecurity industry, enthusiastically agreed with Smocer, stating
that "in 20 years of doing cybersecurity…[he's] never seen a package of
threat intelligence that's actionable that also includes [PII]."
Rogers and Ruppersberger argue their bill strongly protects privacy,
assuring everyone that the private sector will just be sharing 1's and
0's—no PII. And industry is now on the record stating that companies do
not normally need to share PII with the government. This raises the
question: If sharing this information is so unnecessary to the
cybersecurity mission, why not just explicitly build that protection
into the bill?