The Senate won't take up CISPA, but the cybersecurity battle on Capitol Hill is far from over.
The Cyber Information Sharing and Protection Act, which passed the House of Representatives last week, won't be picked up in the Senate. The reason why depends on who you ask.
Jay Rockefeller, head of the Senate Committee on Commerce, Science and Transportation, has said CISPA has provisions that raise serious privacy concerns for citizens. But Friday, ranking member on the Select Committee on Intelligence, Saxby Chambliss (R-Ga.) said that in his mind, CISPA wouldn't be picked up for other reasons – it doesn't provide enough protections for the companies it'd help.
Both Senators are working toward new cybersecurity legislation in the Senate.
"I think the best course in the Senate is for us to start from scratch and build a new bill," Chambliss said at a U.S. News cybersecurity event hosted by George Washington University Friday. "We're going to keep talking about it until we have the right solution."
As currently crafted, CISPA allows the government to share classified "cyber threat information" with companies, who say they are losing billions of dollars annually to stolen patents and cyber attacks. The bill also allows companies to pass user information to the federal government – a provision that has many civil liberty groups up in arms.
The bill also grants immunity from lawsuits to companies that pass incorrect "cyber threat" information to the government, as long as the company can prove that it acted in "good faith."
That provision was the basis for a veto threat from President Barack Obama – in a statement, the administration said it supports "targeted liability protections."
"The administration is concerned about the broad scope of liability limitation in [CISPA]," the release says.
Chambliss said Friday that the liability protections in CISPA don't go far enough to protect companies and any cybersecurity bill should have "full liability protections" for companies.
"If the private sector does not have to worry about frivolous lawsuits, they'll be more likely to share information with the government," he said. "And if the government gets more information from the private sector, they'll be more likely to share [classified] information with companies."
Chambliss also said any information shared with the government should be able to be used by the National Security Administration, Department of Defense or FBI, if necessary. Last minute amendments to CISPA sought to keep all information sharing restricted to the Department of Homeland Security, a civilian agency.
"All relevant government entities, including the Department of Defense, must get real-time access to information from the private sector. We don't need arbitrary lines between the FBI, DoD and DHS because of perceived privacy issues," he said. "If there's something in the cyber threat info that helps law enforcement identify a child's kidnapper, they should be able to utilize that."
It's doubtful Chambliss will get what he wants, considering that Obama and many lawmakers, including Rockefeller, have already said the bill needs more privacy protections, not fewer. If he does introduce legislation that blurs the lines of who has access to public information, he can expect to hear about it from privacy proponents such as the American Civil Liberties Union and the Electronic Frontier Foundation, who have mounted protests to CISPA.
Any information sharing program, says Michelle Richardson, legislative council with the ACLU, should be under "unequivocal civilian control."
Rainey Reitman, activism director for the EFF, says that it's "too early to know what the Senate will do for certain," but that any cybersecurity law should have more protections for privacy than CISPA does.
"There's this real sense that whatever they move forward with will have to be a compromise," Reitman says. "We want to make sure that it doesn't involve the dangerous components of CISPA."