The Complex

The other cybersecurity bills the House passed this week

CISPA isn't the only piece of cyber-security legislation that passed the House this week.

The Federal Information Security Management Act of 2013 updates the 2002 version of the federal IT security law, known as FISMA, by requiring government agencies to constantly monitor their computer networks for threats

Right now, FISMA requires government agencies to perform only yearly evaluations of cyber-threats and vulnerabilities. Yours truly can't tell you how many times I've heard cybersecurity experts say the current version of FISMA does nothing to stop fast-paced cyber threats; it's merely an exercise in checking off boxes.

As a statement released this week by Rep. Jim Langevin, co-chair of the Congressional Cyber Caucus says, "While the annual reports currently mandated under FISMA are supposed to give government executives overall insight into security management of their networks, this does not provide the minute-by-minute view into network security that is needed.

"It's just an out of date and slow process for examining security of government networks," a House staffer told Killer Apps. The new version of FISMA would mandate "continuous monitoring of networks and provide regular threat assessments."

Here's an excerpt from the Library of Congress' official summary of FISMA 2013, explaining the change in the reporting procedures:

Directs senior agency officials, with a frequency sufficient to support risk-based security decisions, to: (1) test and evaluate information security controls and techniques, and (2) conduct threat assessments by monitoring information systems and identifying potential system vulnerabilities. (Current law requires only periodic testing and evaluation.)

Directs agencies to collaborate with OMB [the Office of Management and Budget] and appropriate public and private sector security operations centers on security incidents that extend beyond the control of an agency. Requires that security incidents be reported, through an automated and continuous monitoring capability, when possible, to the federal information security incident center, appropriate security operations centers, and agency Inspector General.

The House also passed the Cybersecurity Enhancement Act which requires the National Science Foundation, the National Institute of Standards and Technology, and "other key federal agencies" to develop a strategic plan for federal cybersecurity research and development work, with a focus on securing industrial-control systems and developing advanced protections for personal information online. (Remember, the Stuxnet virus that destroyed thousands of Iranian uranium-enrichment centrifuges targeted the machines' industrial-control computers.)

The second bill also calls for the establishment of a "Scholarship for Service" program meant to cultivate a highly-skilled government cybersecurity workforce, and it requires the president to send a report to Congress on the government's current and future cybersecurity workforce needs.

Getty Images

National Security

CISPA passes the House floor, Senate crafting new cybersecurity bill

The Cyber Intelligence Sharing and Protection Act, better known as CISPA, just passed the House by a vote of 288 to 188.  Meanwhile, the Senate is working on crafting its own bill aimed at facilitating information-sharing on cyber-threats.

"We are currently drafting a bipartisan information sharing bill and will proceed as soon as we come to an agreement," Senate intelligence committee chair Dianne Feinstein wrote in an email to Killer Apps.

Remember, CISPA allows private businesses to share "cyber-threat information" with each other and government agencies, including the military. 

Earlier this week, the White House threatened to veto CISPA unless it was amended to require that information businesses with the government go through a civilian agency, such as the Department of Homeland Security, before being sent to any military organization, such as the National Security Agency. The White House also wants to narrow the liability protections given to businesses that improperly disclose personal information or commit antitrust violations while sharing information with each other or the government.

"The version of CISPA that just passed the House floor includes an amendment that encourages, but doesn't require businesses to share cyber threat information with DHS instead of the military," a Hill staffer told Killer Apps.

Another amendment bans the U.S. government from using information gathered under the auspices of the bill to target a U.S. citizen for surveillance. Another one "reconfirms" that "the federal government may not use library records, book sales records, customer lists, fire arms sales records, tax returns, educational and medical records that it receives under CISPA," said the staffer.

Last week, the House intelligence committee removed language from the bill that would have allowed companies to collect and share information for "national security" purposes. Privacy advocates who oppose CISPA claimed using the broad term "national security" would allow the government to spy on people online without a warrant. The committee also added an amendment requiring that information shared with the government be scrubbed of all personal information.

Still, these amendments weren't enough to satisfy privacy advocates such as the ACLU. Here's what Michelle Richardson, one of the ACLU's lawyers, said after the bill passed today.

CISPA is an extreme proposal that allows companies that hold our very sensitive information to share it with any company or government entity they choose, even directly with military agencies like the NSA, without first stripping out personally identifiable information. We will work with Congress to make sure that the next version of information sharing legislation unequivocally resolves this issue, as well as tightens immunity provisions and protects personal information. Cybersecurity can be done without sacrificing Americans' privacy online.

The big questions that remain are whether the White House still opposes CISPA and whether the Democrat-controlled Senate will permit language included in CISPA to pass the conference process. So far, the White House has remained mum on today's news.

Last year's White House-backed Cyber Security Act of 2012, sponsored by former Senators Joe Lieberman and Susan Collins, failed to pass the Senate because Republicans objected to the bill's call for minimal cyber-security standards for certain banks, energy firms, communications providers, transport companies, and other so-called critical infrastructure providers.

In February, the White House issued an executive order allowing the government to share intelligence on cyber-threats with businesses and encouraging minimal best practices for critical-infrastructure providers.

Getty Images