As the Cyber Intelligence Sharing and Protection Act of 2011 nears its time in the congressional spotlight, supporters and detractors alike are fine-tuning their arguments in preparation for another battle over how the Internet will be influenced by federal legislation.
The core objective of CISPA is simple: Opening up greater means for communication between private entities and the federal government on issues of cybersecurity and national security.
“Today the U.S. government protects itself using classified and unclassified threat information that it identifies from attacks on its networks,” a staffer on the Permanent Select Committee on Intelligence said, introducing the legislation on a conference call April 10. “However, the majority of the private sector doesn’t get access to this information because the government has no mechanism today for effectively sharing.”
The points of contention reside within the details of the bill. Rebecca Jeschke, digital rights analyst with the Electronic Frontier Foundation, struck at the most important issue that her organization, and others, have with CISPA, the language of the bill itself.
“The language is so vague that there’s a huge level of interpretation of data that could be shared,” Jeschke said.
Michelle Richardson, a legislative council at the ACLU’s Washington Legislative Office, echoed Jeschke’s remarks.
As it stands now, she said, the bill is “broad enough to go beyond China,” referring to the frequent invocations of Chinese subterfuge and espionage aimed at U.S. private and governmental networks made by its proponents.
The data intended to be shared, titled “cyber threat intelligence” within CISPA, is defined as information that is within the intelligence community’s hold “pertaining to the protection of a system or network from” one of the following.
“Efforts to degrade, disrupt or destroy such system or network … theft or misappropriation of private or government information, intellectual property or personally identifiable information.”
Rep. Dutch Ruppersberger (D-Md.), a co-sponsor of the bill alongside Rep. Mike Rogers (R-Mich.), has sought to address the concerns over the inclusion of intellectual property, which happened to be the contentious focal point of the defunct SOPA legislation.
“I am not talking about .mp3 files or movies or music, I’m talking about billions of dollars that American companies spend on research and development every year,” he said during Tuesday’s conference call.
Facebook, arguably the highest-profile supporter of the bill, given its vast resources of personal information, reiterated its support Friday in a statement released by Joel Kaplan, Facebook’s vice president of public policy.
“The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 in the first place - the additional information it would provide us about specific cyber threats to our systems and users,” he said.
Ruppersberger listed some of those possible threats during the conference call.
“You have the criminal front where people are just trying to steal identities, get into your account and steal your money … we believe that there will be a catastrophic cyberattack if we don’t at least start to put some protections in .. and, lastly, this cyber espionage piece that is absolutely devastating to the future economy of the United States,” he said.
Richardson elaborated on the ACLU’s concerns with CISPA, and why they’ve been adamantly against it since the initial committee markup.
Ideally, Richardson said, there would be a limitation placed in the legislation making it so that the information gathering efforts pertain only to cyberthreats, with Congress setting up an explicit road map to set up which agencies will be granted access to the data obtained from private companies.
“Here it’s a free-for-all” she said, citing that data obtained through CISPA could theoretically end up in the Department of Defense or in the hands of the National Security Agency. Preferably, and this is something that Jeschke agrees with, the Department of Homeland Security, a civilian agency, would be the sole recipient given control of the data.
Otherwise, Richardson said, “It’s allowing them [companies] to go straight to the military.”
A new draft of CISPA, posted by the committee Friday, highlights areas in which the legislation has changed since its inception, and how it has adapted to the criticisms leveled against it. Amendments added are highlighted in green, while those still under consideration are highlighted in yellow.
Those under consideration include limitations on the spread of information disclosed to certified entities and the removal of liability from an entity sharing information with the government “unless such covered entity engages in willful misconduct in the sharing of such information and such willful misconduct proximately causes injury.”
The government, on the other hand, in a proposed amendment, would face the brunt of legal recourse for perceived violations of the codes of conduct, provided that the action is taken within two years of the violation.
Another proposed amendment could be a step toward addressing Richardson’s aforementioned concerns by limiting the ability of the Department of Defense or National Security Agency to utilize the information obtained, to “provide additional authority to, or modify an existing authority of, the DoD or the NSA or any other element of the intelligence community to control, modify, require or otherwise direct the cybersecurity efforts of a private sector entity.”
Two approved amendments also serve as evidence of the committee’s moves to relieve concern over the bill, though they have not done so entirely. First is a provision prohibiting the federal government from affirmatively searching the information obtained comes with an exception that it can be sidestepped in favor of “the protection of the national security of the United States.” And second is the establishment of an annual review submitted by the Inspector General of the Intelligence Community covering the type of information shared, the application of that information, whether the actions taken under CISPA violated privacy or civil liberties and recommendations for future conduct.
The opposition to CISPA has planned a week of action, titled by the EFF as “Stop Cyber Spying Week,” intended to heighten the pressure aimed at is backers and raise awareness for the legislation, with the ACLU putting out a form for alerting congressional representatives of opposition to the bill, and calls for individuals to take to social media to spread the assertion that CISPA could provide the means to undermine privacy rights on the Web.
“Giving companies carte blanche to bypass federal law does not make us safer – it puts us at more risk,” EFF Senior Staff Attorney Lee Tien said in the organization’s official announcement of its protests.
But as the protests heat up this week, and as the additional amendments simmer under consideration, the way in which CISPA has evolved from its initial inception to a bill that, while still earning the ire of activists and privacy advocates, is at least a positive indication that the concerns of many in the Internet community are being acknowledged, and attempts are being made to remedy said concerns.
Original source: CISPA protests begin amid key changes to legislation