On CISPA - HR 3523

Mike Conaway voted for CISPA; I would have voted against it.



Analyzing CISPA is the perfect opportunity to put in print an overview of how I would make legislative decisions.

Each Congressperson has a staff.  A key role of my staff would be to read and analyze bills, and report their findings to me.  For readers who haven’t had a staff working for them (I was privileged to have a very senior staff at the 2d Marine Division), this is a huge benefit to understanding and trying to predict the consequences of a policy, regulation, or law.  The life experiences, skill sets, and wisdom of a staff can provide invaluable perspective to a decision-maker.  As your Representative, I would of course retain the decision-making authority with regard to my vote on each and every bill under review; and, of course, I would retain the responsibility for my decision, regardless of the consequences.

On a complex bill such as CISPA, I would certainly like to hear multiple perspectives, including those from knowledgeable Information Technology advisors, as well as legal advisors, with regard to some of the included language.  However, since I do not have the benefit of a staff, and since it is reasonable for a prospective voter to ask my opinion on any bill, I will provide my current take on CISPA.

After reading this bill through at least three times (some parts many more times), and studying its language very carefully, in my present understanding I would have to vote against it.  Page 5, Line 3 (see HR 3523 RFS as it was approved by the House and has been referred to the Senate) has the following text:  “use of cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such entity; . . .”

This short phrase has numerous problems:

1) It does not line up with a restriction listed on Page 3, Lines 3-5 where the shared information has to be “consistent with the need to protect the security of the United States;”

2) It allows private cybersecurity providers and self-protected entities to determine for themselves what information meets the criteria of being a “cyber threat;”

3) It appears to allow the information, which may be either weakly or improperly identified, to be shared with “any other entity, including the Federal Government.”

Certainly, private companies are already encouraged and protected in reporting violations of law.  We need no new legislation to provide this lawful action on the part of private companies.  But this bill seems to open up varying types of information to an excessively broad category of entities.  This, and additional internal inconsistencies prove it to be a poorly written bill, regardless of its intended consequences.

I therefore would not be able to support it.