Like a lion in tall grass, legislation to bolster America’s defense against cyber-attacks has been lying in wait in congressional committees for years. But now that legislation is about to leap onto the congressional conveyor belt where bills become law. And, once again, internet activists are concerned that congressional overreach may trump good intentions.
House action starts Apr. 23 during what has been dubbed “Cybersecurity Week.” The Senate will act later. Two distinct paths have emerged. One allows companies to share with the government a narrowly defined set of information that protects privacy and respects civil liberties. The other is a more ominous path, creating new government surveillance capabilities with little restriction on abuse.
This Congress has dealt with dozens of bills relating to cybersecurity; most are now dead or dormant. The odds-on favorite to emerge in the House follows the ominous path: CISPA, formally known as the Cyber Intelligence Sharing and Protection Act. It’s also the target this week of a grassroots campaign aimed at raising awareness of the serious risks the bill poses. Internet users are being urged to call or write their members of congress and push for changes or vote against the bill as it now stands.
Whatever you have read — or re-tweeted — CISPA is not “son of SOPA.” The commonality between the two is that each takes a legitimate problem and tries to tackle it with an extreme solution. SOPA opposition turned on threats to the First Amendment; CISPA is about the Fourth, owing to the potential it creates for unprecedented government monitoring of internet users’ personal online information.
CISPA’s creators, Reps. Mike Rogers (R-Michigan) and Dutch Ruppersberger (D-Maryland), insist that their bill is mindful of user privacy while providing important legal mechanisms that would encourage private companies to share information with the government in return for receiving critical help in fighting off cyber attacks.
Information sharing is a critical component of successful cybersecurity policy, when that information is narrowly defined, is used only for cybersecurity purposes, and the process controlled by a civilian agency, such as the Department of Homeland Security.
The problem with CISPA is that any security it offers comes at the expense of unfettered government access to our personal information, which is then likely to be sucked into the secretive black hole of the spying complex known as the National Security Agency. The bill doesn’t specifically mention that information shared with the government will flow to the NSA, but neither are there any restrictions prohibiting that information from flowing to the agency. And, the agency has been lobbying for a larger role in cybersecurity operations of private networks.
Two weeks ago, CISPA was thought to be untouchable, until the winds of internet rebellion began to stir. And because no one associated with the bill wanted to be “SOPA’d,” meetings were quietly scheduled, doors creaked open; ideas were proffered.
It wasn’t supposed to happen this way. The deal was done; the “war” won without a shot fired. Wearing the invaluable cloak of bipartisan support, CISPA was sailing toward passage.
And then it wasn’t.
CISPA is changing at the margins but it still has four major problems:
- An overly broad, almost unlimited definition of the information can be shared with government agencies. And because that info is shared “notwithstanding any law,” CISPA trumps any federal or state privacy law that currently prohibits disclosure.
- Enactment is likely to lead to expansion of the government’s role in the monitoring of private communications.
- It could shift control of government cybersecurity efforts from civilian agencies to the NSA.
- It creates a backdoor wiretap program because the information shared with the government isn’t limited to just cybersecurity, but could also be used for other purposes, such as law enforcement or by intelligence agencies.
Industry opposition to CISPA has been muted. Recently, however, some companies began working to help craft a better bill, having brokered meetings that include Rogers’ staff, privacy groups and advocacy organizations.
And on Tuesday night the Obama administration weighed in when National Security Council spokeswoman Caitlin Hayden said in a statement — without directly mentioning CISPA — that any cybersecurity legislation “information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens,” otherwise, it “will not meet our nation’s urgent needs.”
CISPA foreshadows a future fraught with dire consequences for our privacy and civil liberties, there is still time to quell those fears. CISPA’s congressional sponsors haven’t closed ranks and are still considering changes.
There is still time for CISPA to stray from its ominous path of surveillance, and onto the plausible path to cybersecurity, the one that preserves civil liberties and does no harm to privacy.