In a vote that had been moved up a day, the Cyber Intelligence Sharing and Protection Act was passed by the full House of Representatives Thursday evening (April 26) along mainly party lines. SecurityNewsDaily will have a follow-up story Friday.
Congress' latest stab at a cybersecurity bill is getting flak from many people: civil libertarians, experts who say it doesn't do enough to address real problems and, as of yesterday (April 25), the White House.
Some groups, including the American Civil Liberties Union and the Electronic Frontier Foundation, as well as the hacktivist movement Anonymous, are trying to rally opposition to the bill on the Internet and in Silicon Valley, hoping to repeat their successful campaign against the Stop Online Piracy Act.
Technology companies, however, are staying out of the fight, or even supporting the bill, and many cybersecurity experts say the bill’s aims are worthwhile even while its language is flawed.
The bill, House Resolution 3523, or the Cyber Intelligence Sharing and Protection Act (CISPA), was introduced in November by Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D- Md.). It is currently under consideration by the full House of Representatives, but no vote has yet been called.
The bill asks the Director of National Intelligence (currently retired Air Force lieutenant-general James R. Clapper) to establish procedures for the government and the private sector to share information about cyberthreats.
The impetus for CISPA lies in the growing perception among lawmakers and military personnel that America faces threats to its critical infrastructure from foreign or terrorist computer hackers.
Congressional testimony by military men warning of a "digital Pearl Harbor" may sound exaggerated, but the Stuxnet worm that crippled Iranian nuclear facilities in 2010 proved that such dire scenarios have a basis in fact.
Right now, the sharing of information between the government and private entities is restricted, in part because it is against the law for the government to favor one company over another. CISPA is an attempt to address that.
Tell us, and you can do whatever you want
Civil liberties groups aren’t opposed to the aims of the bill. Their objections are to language that would shield private parties from any liability resulting from the sharing of cybersecurity information. In its current form, the bill says that as long as a private entity is acting in good faith, there is no liability.
The problem is that it’s hard to establish whether someone has acted in good faith or not, said Lee Tien, senior staff attorney at the Electronic Frontier Foundation (EFF) in San Francisco.
"There are few restrictions on that kind of surveillance," Tien said, referring to the constant network monitoring that would generate the data to be shared among agencies and companies. "Compounding that, there is almost nothing left of standard protection that kind of creates a balance between providers and users."
More to the point, Tien said, it is not clear from the bill which government agency is in charge of enforcing CISPA. Would it fall under civilian or military intelligence? That question, Tien said, hasn't been fully resolved yet.
The EFF, the American Civil Liberties Union (ACLU) and other groups last week led a "week of action" against CISPA, urging citizens to contact their lawmakers via online social networks.
Michelle Richardson, legislative counsel at the ACLU, said CISPA is the worst of the various cybersecurity proposals currently under consideration.
Richardson explained that under current law, governed by the Electronic Communications Privacy Act of 1986, there are civil and criminal penalties for releasing certain kinds of information.
"What they could have said was, 'here is exception to ECPA and FISA [the Foreign Intelligence Surveillance Act of 1978]' — that would have kept the oversight," Richardson said. "Instead, they said none of the privacy laws apply … There are bigger implications that most members on the Hill don't understand."
For example, the information-sharing provisions of CISPA contain the language "notwithstanding any other provision of law."
That might apply to the Health Insurance Portability and Accountability Act of 1996, which set rules to guard the security of private electronic health information.
But only if you want to
It's important to note that CISPA wouldn't require companies to share information with the government. It would only let them do so.
Dave Aitel, CEO of Miami Beach, Fla., security firm Immunity, Inc., said CISPA is an attempt to do cybersecurity on the cheap. A really good program would cost infrastructure companies and the Federal government money, and a spending- and tax-averse Congress is not willing to do that.
Aitel noted that a bill proposed by the Obama administration last year would have authorized the Department of Homeland Security to tell infrastructure companies what to do to beef up their security.
"That might have worked, but it was high-cost," said Aitel.
It isn't clear what gains CISPA would provide, he added, though he characterized the overall aim — providing data to the government so it can better assess cyber threats — as sound.
There is a lot of talent in the private sector, Aitel noted, and if the government wants to see a pattern of attacks, for instance, it's likely that Symantec or Google will have a lot of useful information. Some kind of protocol is necessary to disseminate information that could benefit everyone — but this bill isn't quite it, Aitel said.
Aitel is also concerned about the nature of the public-private information sharing. He noted that the Microsoft Active Protections Program (MAPP), in which Microsoft partners with other companies to share information about malware threats, was hit by a security breach last month. The breach led to the accidental release of malware code.
"This [CISPA] is the same thing on a government level and has the same [potential] problems," Aitel said.
Kyle Maxwell, a network-security specialist who writes the Overhack information-security blog, told SecurityNews Daily that provisions in CISPA offer a central repository for shared information (the Office of National Intelligence), but also offer exemptions to the Freedom of Information Act of 1996 and to any assumption of liability.
On his blog, Maxwell pointed out that the "notwithstanding any other provision of law" phrase doesn't automatically give private entities immunity from all other laws, and courts don't usually interpret it that way.
Maxwell also noted that there are two other bills pending in Congress that attempt to address cybersecurity. The Cybersecurity Act of 2012 was floated in February by Sens. Joe Lieberman (R-Conn.) and Susan Collins (R-Maine). The Secure IT Act was introduced in March by Sen. John McCain (R-Ariz.) and later in the month introduced in the House by Rep. Mary Bono Mack (R-Calif.).
Both bills, like CISPA, govern information-sharing between the private sector and government, but have tighter definitions of the kinds of intelligence that would be shared.
There would be more support for CISPA, Maxwell said, if that bill had similarly specific definitions and restrictions.
Aitel said there are good ideas in CISPA. For example, it provides access to the talent in the private sector that government agencies don't always have.
However, CISPA is running into serious opposition. The White House on Wednesday (April 25) sent a strongly worded letter to the House stating that President Obama would veto CISPA in its current form.
"The sharing of information must be conducted in a manner that preserves Americans' privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive," the letter said.
"Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately," it said. "H.R. 3523 effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres."
Rep. Rogers, CISPA's primary sponsor, was calm about the White House letter.
"This is just, I think, them kicking up some dust," Rogers told the House Rules Committee Wednesday as it considered amendments to modify CISPA, according to Politico. "We think we can answer questions to get it to a place where the president will sign it."
Earlier this week, 18 House Democrats sent a letter to Rogers and his co-sponsor Ruppersberger asking them to address their "real and serious" privacy concerns about CISPA, according to Computerworld.
"Without specific limitations, CISPA would for the first time, grant non-civilian federal agencies, such as the National Security Agency, unfettered access to information about Americans' Internet activities and allow those agencies to use that information for virtually any purpose," the congressmen's letter noted.
The EFF, the ACLU and the Center for Democracy and Technology have all said the bill doesn't offer enough transparency about the information shared, or remedies for people concerned about their data.
Silicon Valley switches sides
Unlike the massive and successful pushback that took place against the Stop Online Piracy Act (SOPA) a few months ago, CISPA has failed to garner much opposition in Silicon Valley.
Some major technology corporations that opposed SOPA, such as Facebook and Microsoft, are behind the bill. ( Google has admitted lobbying on CISPA but hasn’t disclosed its position.)
Facebook is clear about its support of CISPA, though the company's vice president of public policy, Joel Kaplan, wrote a message to users clarifying the company's stance on privacy in the wake of users saying they were worried about the bill.
Rep. Darrell Issa (R-Calif.), who led the opposition in the House against SOPA, has added his name as a co-sponsor to CISPA.
Even if CISPA turns out to be a good idea, it might be hard to get public support.
"People don't trust this Congress," Aitel said.
Richardson said dealing with cybersecurity vulnerabilities isn't hampered by privacy or liability issues, as demonstrated by the coordinated responses to past threats such as the Conficker worm.
"It's an organizational issue," she said.