The US House of Representatives revitalized efforts to pass the Cyber Intelligence Sharing and Protection Act (CISPA), which never got the approval of the Senate last year. Yesterday the bill passed by a margin of 288 to 127 after two days of debate, which included the potential of malicious cyber attacks raining down on American power grids and disrupting livelihoods.
Representative Joe Heck (R-NV) warned that "our nation is under attack," while Representative Mike McCaul (R-TX) made the comparison to the recent Boston marathon bombing tragedy earlier on Monday: "In case of Boston they were real bombs: in this case they're digital bombs." Representative Candice Miller (R-MI) even evoked the threat of North Korean hackers to convince the House that the time to introduce the bill was now.
CISPA facilitates the sharing of information concerning online attacks by companies with one another, in addition to disclosing such data with government agencies in order to quickly locate and capture those responsible. The primary purpose of introducing the bill is to beef up defensive measures against the numerous cyber threats that have lately attracted more mainstream and governmental attention.
Earlier in January, after New York Times journalist David Barboza wrote a Pulizer Prize-winning article on previous Chinese Premier Wen Jiabao's personal assets and wealth, the PRC government banned him from the country. Soon after the publication of his story, Barboza's email account along with the personal computers of fifty three other NY Times employees were infiltrated by hackers. Two months later in March, Sino-American ties were once again strained, when the U.S. demanded Chinese authorities to take more decisive action in tracking down individual hackers who had compromised the privacy and security of major American corporations.
Though denying any relation with the cyber attackers, the PRC government is thought to harbor groups of "nationalist" hackers who target the networks of China's rivals.
To its supporters, CISPA would enable the U.S. government to gain more access to information concerning these attacks. Currently many corporations, such as Bank of America, that are the victims of cyber attacks do not publicly disclose the online break-ins for fear of upsetting clients and customers.
Thus CISPA allows information to be shared only with government authorities, effectively meandering around the challenge of providing information of these hackings without scaring users away from its services. But therein remains the question of privacy and the potential for unfettered sharing of user information to the government in the name of "cyber security."
Returning to the two days of Congressional debate that eventually passed CISPA, the evocation of North Korean attackers and the Boston marathon bombing illustrates a new sense of urgency that informs cyber lawmaking. Pointing to existing and potential vulnerabilities in the system prove to be less efficient than citing the real blood and tragedy of an event that dominated domestic and international headlines. Meanwhile North Korea and its provocative behavior―though a norm in the international system these days―carries the real possibility of deadly attack and confrontation. Nuclear weapons are a significant threat, but the world hasn't (thankfully) yet seen the successful use of nukes from the DPRK.
But a few weeks earlier, cyber attacks had already successfully struck and disrupted many South Korean banks and corporations, with analysts and government officials confident that the assault originated from the north. These attacks prove to the world North Korea's capacity to break and enter, cause damage, and do more than simply cause inconvenience. And if the DPRK has the capability, one can only imagine the significantly more advanced and potentially devastating pieces of the Chinese cyber arsenal.
CISPA will undoubtedly continue to stir up resistance amongst individuals and advocacy groups concerned with digital liberties and the protection of private information. The introduction of the bill prompted increased awareness of personal data as property of corporations, and the vulnerability of this information to both malicious online assault and governmental perusal.
The intentions of the bill are not inherently misplaced; if opening up pathways for information sharing will help bolster defense, it seems only reasonable to agree to these procedures. Yet as damage continues to be inflicted in both the cyber and offline domains, the stakes only get higher, and the urgency to pass more stringent laws and restrictions in response will continue to grow.