With the controversial Stop Online Piracy Act (SOPA) and Protecting Intellectual Property Act (PIPA) stifled after strong protests at the end of 2011 and through the beginning of 2012, a new and relatively quiet piece of cybersecurity legislation is rearing its head, finding support among big-name companies and opposition from privacy advocates.
The Cybersecurity Intelligence Sharing and Protection Act was introduced in the House in Nov. 2011 and now has more than 100 co-sponsors. The Huffington Post explains the proposed legislation would encourage businesses to voluntarily share information about cyberattacks with the government by providing more legal protection for the sharing of this information. Opposition is concerned private customer data could be shared under the bill as well.
Here's more from co-sponsors Rep. Mike Rodgers (R-Mich.) and Rep. Dutch Ruppersberger (D-Md.):
“Every day U.S. businesses are targeted by nation-state actors like China for cyber exploitation and theft,” Rogers said. “This consistent and extensive cyber looting results in huge losses of valuable intellectual property, sensitive information, and American jobs. The broad base of support for this bill shows that Congress recognizes the urgent need to help our private sector better defend itself from these insidious attacks,” he said.
Many of the same vulnerabilities used to steal intellectual property can also be used to attack the critical infrastructure we depend on every day.
“Without important, immediate changes to American cybersecurity policy, I believe our country will continue to be at risk for a catastrophic attack to our nation’s vital networks - networks that power our homes, provide our clean water or maintain the other critical services we use every day. This small but important piece of legislation is a decisive first step to tackle the cyber threats we face,” said Ranking Member C.A. Dutch Ruppersberger.
The Huffington Post reports that most business don't share information of cyberattacks on their systems with the government because they "fear violating anti-trust law." CISPA's "overly broad" language about the definition of consumer data is what has privacy advocates seeing how the information obtained by the government in this manner could be used abused in the name of cybersecurity:
Michelle Richardson, a legislative counsel at the American Civil Liberties Union, called the bill "a privacy disaster" and "a new backdoor around the Fourth Amendment."
"This is a whole new surveillance program," she told The Huffington Post.
TechDirt has more on this concern:
CISPA states that the entity providing the information cannot be an individual or be working for an individual, but the data they share (traffic, user activity, etc.) will absolutely include information about individuals. There is no incentive in the bill to anonymize this data—there is only a clause permitting anonymization, which is meaningless since the choice of what data to share is already voluntary. Note that any existing legal protections of user privacy will not apply: the bill clearly states that the information may be shared"notwithstanding any other provision of law".
So we've got the government collecting this data, potentially full of identifying information of users in the U.S. and elsewhere, and they are free to use it for any of those broadly defined cybersecurity or national security purposes. But, it gets worse: the government is also allowed to affirmatively search the information for those same reasons—meaning they are by no means limited to examining the data in relation to a specific threat. If, for example, a company were to provide logs of a major attack on their network, the government could then search that information for pretty much anything else they want.
HuffPo also reports that supporters of the bill deny recent criticism that it is the new SOPA. Rogers said comparing the two bills are is like comparing apples to oranges. But some tech blogs feel differently. GeekOSystem, while it acknowledges critical differences between the two bills, states CISPA is "just as bad." According to GeekOSystem, unlike SOPA/PIPA, which sought to protect intellectual property, "CISPA operates under the guise national cybersecurity as opposed to economic concerns". GeekOSystem states:
CISPA allows for the sharing of otherwise private data between private companies and the government (in both directions) so long as the exchange is ostensibly related to cybersecurity. What “cybersecurity” actually means is woefully unclear.
According to the bill, it would help "[protect] a system or network from -- (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.' GeekOSystem points out that copyright can be considered intellectual property by the FBI.
TechDirt isn't too optimistic about Congress appropriately addressing some of these concerns to fix the bill. It says making some definitions less broad and adding some oversight and liability to prevent the government from violating terms would make it more palatable. But, it still notes that the number of restrictions this would require "points to Congress' inability to effectively design internet regulation."
Forbes writes more than 569,000 people have signed a petition at Avaaz.org in opposition of the bill. Some industry leaders, such as Facebook, Verizon, Intel and Microsoft, have publicly supported it. See more supporters here.
The bill is expected to be voted on by the House during the week of April 23.