CISPA 2013 Passes House: Why IBM Champions The Controversial Cybersecurity Bill Despite Obama’s Veto Threat

The U.S. House of Representatives approved the highly controversial Cyber Intelligence Sharing and Protection Act Thursday afternoon by an overwhelming 288-127 vote, and IBM couldn’t be any happier.

Of the many companies supporting CISPA, which cleared the House Intelligence Committee last week by a count of 18 to 2 in a closed-door vote, only the 101-year-old technology corporation known as “Big Blue” felt strongly enough to send 200 executives to Capitol Hill to convince lawmakers to back the cybersecurity bill.

“We’re going to put our shoeleather where our mouth is,” IBM VP of Governmental Affairs Chris Padilla told The Hill on Monday. “The message we're going to give is going to be a very simple, clear message: Support the passage of CISPA.”

The presence of IBM seems to have made an impact. Prior to IBM’s visit to Washington, CISPA had only two co-sponsors since its reintroduction in February (the original bill was introduced in the previous Congress back in November 2011); since Monday, however, 36 members of the House have signed on as co-sponsors. Though that number wouldn’t have been enough to change the outcome of Thursday’s vote, it was a strong show of support.

Though prominent tech companies like Facebook, Google and Apple all support CISPA (via the TechNet trade association), IBM’s desire for greater data sharing and tighter cybersecurity controls makes sense for Big Blue, which is the currently the largest holder of U.S. patents and intellectual properties. If there’s any company with valuable proprietary information to protect, it’s IBM.

“It’s our experience that the most effective thing you can do when a cyberattack occurs is to share information quickly between government and industry and between industry actors in real time in order to find where the attack is coming from and to shut it down,” Padilla said.

"The key really is when an attack happens — and they will happen — is detecting it, and shutting it down and preventing the loss of data as quickly as possible. That's a question of information and it's a question of speed,” the IBM exec added. “And often, the government will have very timely and critical information that banks or telecommunications companies need to know that there is an attack. Other times, we detect it first and sharing [information] with the government could serve to warn others that there may be an attack."

But while companies like IBM would prefer CISPA’s structured procedures in event of a cyberattack, advocacy groups like the ACLU, Electronic Frontier Foundation and a coalition of maore than 40 organizations all condemn the bill for its broad language and lack of limits on how and when the government and military, including the National Security Agency, can monitor Americans’ Internet activities.

“Since CISPA broadly immunizes corporations from criminal and civil liability, it prevents customers from holding those companies accountable if they negligently or recklessly mishandle their data,” former White House Cybersecurity Director Chris Finan wrote in a recent column for Wired.

“To avoid the moral hazards of such broad immunity, lawmakers should carefully tailor corporate liability protections,” he said. “Yes, the risk of a cyberattack is indeed real, and warrants careful legislative action. But as Congress again debates how to address this risk, our elected officials must be willing to reject the false choices and drastic measures that would undermine our fundamental principles.”

Fortunately for opponents of CISPA, President Barack Obama again has threatened to veto the bill, just as he did last year.

“The administration still seeks additional improvements and if the bill, as currently crafted, were presented to the president, his senior advisers would recommend that he veto the bill,” the White House said on Tuesday. “The administration seeks to build upon the continuing dialogue with the HPSCI [House Intelligence Committee] and stands ready to work with members of Congress to incorporate our core priorities to produce cybersecurity information sharing legislation that addresses these critical issues.”

Even if the language in CISPA needs improvement, companies like IBM still feel strongly about being able to effectively handle cyberthreats; according to Padilla, the NSA is the best agency for the job, and CISPA would ensure it could handle complicated matters like these directly.

“It really is a simple matter,” Padilla said. “The expertise in the U.S. government on cybersecurity largely rests in one place, and that's the National Security Agency. They tend to know the most, the soonest about cyberthreats and I think, frankly, there is a certain amount of feeling in the business community that you should be able to work directly and share information directly with the agency that has the most expertise.”

There are many wrinkles to the story of CISPA, including the fact that the wife of the bill’s author, House Intelligence Chairman Mike Rogers, R-Mich., stands to benefit greatly from the passing of this particular bill considering her involvement with cybersecurity defense contractors. But for those who want to learn more about CISPA, they can read the full text of the latest CISPA draft online, and there are also plenty of other excellent resources that describe what the bill specifically aims to accomplish, and what the bill lacks in terms of privacy and corporate liability protections. The Electronic Frontier Foundation also has recommendations to take action and raise awareness about CISPA.

Follow Dave Smith on Twitter