Cyber Intelligence Sharing and Protection Act (CISPA)
Jonathan Lin
2013-02-27 00:00:00

He and Republican Congressman Mike Rogers were justifying the need to reintroduce the Cyber Intelligence Sharing and Protection Act (CISPA), a bipartisan bill that allowed private companies to share information on "cyber threats" with the government and each other.

In April of last year, CISPA came under major fire and stayed in the headlines for weeks. Groups opposing the bill included the American Civil Liberties Union (ACLU), the Center for Democracy and Technology, and the Electronic Frontier Foundation (EFF), who warned that CISPA would encourage Internet companies to hand over their customers' private information (personal identifiable information, or PII) to military spy agencies. Their campaign aimed to rekindle the public backlash that forced Congress to abandon anti-piracy legislation back in 2011.

CISPA's reintroduction on the 13th of February came a day after President Obama's Executive Order, which in addressing growing cybersecurity threats gave government agencies permission to share their threat information with companies (not the other way around). The aforementioned critics of the earlier bill in 2012 were concerned with the lack of restrictions narrowing the way government agencies and companies shared private information.

Key amendments to this year's reintroduced bill seemed to address some of this criticism, including placing limits on the types of user information shared, the scope of sharing, and how the government could use it. The Center for Democracy and Technology, which had previously criticized the 2012 bill, had been won over, stating that "good progress has been made" in the "important privacy improvements" to the bill.

At their public panel, Ruppersberger repeatedly emphasized the reductions made to the government's capacity to monitor PII, noting how "the bill does not authorize the government to monitor your computer, read your emails, Tweets, or Facebook posts - this is clear." In addition, he also stressed the priority of avoiding costly and time-consuming lawsuits, though including that necessary legal action will be taken against private companies that are not carrying out proper measures to protect private information.

Ruppersberger stressed that the intelligence community was monitoring the many attacks raining down on US banks and companies every day, and would really benefit from the passing of a law that allowed that community to "pass on classified information to the businesses and providers, so they can protect us and our country." He emphasized that his overarching concern was whether Congress could pull through on this one and come to an agreement, gesturing at the political gridlock that was greatly jeopardizing the country's ability to get things done.

Rogers reiterated the policy restrictions that would limit the room for abuse of CISPA, responding to a question about "bad computer hygiene" and what happens if someone is unaware that their machine is under attack, or turned into a "botnet." He replied that the government would be "constantly checking the millions of signatures that they know are bad, and once it catches the anomaly―whether in Switzerland or Eastern Europe―it will send the information to protection service providers such as Norton or McAfee." Rogers reinforced that no one would going through the invaded machine but instead after the source of the threat, and said that "if someone would want to do that, then they would have to get a court order, just like today.

That would not change, and that's the beauty of it." At the end of his response he said that under ideal circumstances, users of affected machines would notice nothing and "carry on doing their thing," while government agencies communicated with providers and businesses to lock down the perpetrators―under the new legislation hoping to be passed, of course.

The common theme of the session was the potential for cooperation between the government and the private sector to take action on cybersecurity threats and reduce vulnerabilities, which naturally is very reassuring. Yet there are still real concerns that the amendments to the bill still leave room for flagrant abuse, particularly with regard to the broad immunities that CISPA offers to companies who do choose to cooperate in the data sharing across information networks.

Outspoken digital communication advocates and IT consultants say that very few are opposed to disregarding cybersecurity, but certainly not at the expense Americans as a people losing more of their civil liberties, and unable to defend themselves against multi-million dollar corporations that have not shown clear signs of respecting individual private information. Even if these companies are not combing through personal Tweets or Facebook posts, PII is still out there and easily exposed to abuse and exploitation. CISPA is likely to continue dominating headlines as the privacy-invading bill, and though President Obama threatened last time to veto the bill if it made it to his desk, his Executive Order may mean such an option is unviable.