A bill that would foster stronger cyber security by enabling government and private sector companies to share information is facing opposition from privacy and civil liberties groups. The controversy is misguided, though, and the legislation is a step in the right direction.
CISPA, or the Cyber Intelligence Sharing and Protection Act, was introduced last year by the ranking members of the House Permanent Select Committee on Intelligence--Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD). The legislation's goal is to establish a framework for government and private companies to share sensitive information in the effort to identify and block cyber attacks more effectively.
CISPA initially made it through the Senate, buoyed by support from a large number of high-tech companies like AT&T, Comcast, Oracle, Symantec and Microsoft. It later died on the vine, however, over concerns of Big Brother spying on American citizens. But now it's back again: Last month, its congressional sponsors resurrected the bill in response to high-profile attacks against American targets during the last year.
The CISPA backlash
Yes, the bill is back, but CISPA hasn't gotten any more popular since last year. The EFF (Electronic Frontier Foundation), ACLU (American Civil Liberties Union), and other privacy advocacy groups are aligning to oppose the legislation once again. What's more, Facebook, an original supporter of the legislation, just rescinded its support this week.
The ACLU shared with me a letter that was sent to congressmen Rogers and Ruppersberger on behalf of a coalition of concerned organizations. The letter expressed serious reservations with CISPA, calling out failure to establish civilian control over the information-sharing program; failure to require private organizations to strip personally identifiable information from data shared with the government; and failure to ensure iron-clad protection for the information that is shared.
Kurt Opsahl, senior staff attorney with EFF, explained to me, "The Mandiant report shows how much useful information could be shared without a new bill... The problems [with this bill] are fundamental, and probably too deep to fix with a compromise."
But, is the backlash warranted?
On April 16 of 2012, an amendment to the bill was aimed at tackling privacy concerns. There were questions over terminology, so the amendment clarifies what is meant by "cyber threat information" to ensure a narrower interpretation that does not include "intellectual property."
Some expressed concerns that the bill would authorize ISPs or service providers to block accounts or remove content. In response, the amendment specifies that the legislation is limited to identifying, obtaining, and sharing cyber threat information, and expressly states that the bill does not provide any authority to block accounts or delete information.
The amendment addresses the key privacy concerns. It prevents any information obtained from being used for any other purpose than the intelligence gathering it was intended for, and allows for the US government to be sued if the information obtained is used in ways that violate the limitations placed on the bill. The amendment also gives the United States Attorney General oversight to monitor activity under CISPA and ensure privacy safeguards are maintained.
Microsoft shared with me its official statement on CISPA, which simultaneously stresses the privacy concerns, but also acknowledges that progress is being made, and implies Microsoft's support for the underlying goals of CISPA:
"Microsoft believes that any proposed legislation should facilitate the voluntary sharing of cyber threat information in a manner that allows us to honor the privacy and security promises we make to our customers. Legislation introduced in mid-February reflects important changes resulting from an active, constructive dialogue about a prior version of the bill, and that dialogue must continue. We look forward to continuing to work with policymakers and others to improve cyber security while protecting consumer privacy." - Scott Charney, Corporate Vice President, Trustworthy Computing
In late February at the RSA security conference, I sat down with the sponsoring representatives, Rogers and Ruppersberger. Rogers explained the motivation behind supporting the bill once again. "The amount of wealth that has been transferred from the United States to places like China is breathtaking and dangerous," he said.
Rogers and Ruppersberger believe that if United States intelligence agencies could share classified information with the private sector, then the security industry and private corporations will be better armed to defend themselves. Similarly, the intelligence community could also benefit from private companies sharing what they know about attacks with the government.
The two-way sharing of information is vital in seeing the big picture of security threats, and detecting and preventing attacks. Indeed, information-sharing following the Operation Aurora attacks against Google and other organizations provides a solid example of how effective such sharing can be. Each company might know something suspicious is going on, but may only see one piece of the puzzle. By comparing notes with other companies and intelligence agencies, the pieces can be locked together for a more complete view of the attack.
The goal, according to Rogers, is to tackle information-sharing in a way that has broad, bipartisan support, and buy-in from key stakeholders in both the government and the private sector. The congressional supporters believe that CISPA is the best way to give the government and private sector the necessary tools to detect sophisticated attacks, and guard against advanced, persistent threats.
Rogers and Ruppersberger re-submitted CISPA following President Obama's State of the Union address, in which he called for protecting the nation against cyber attacks. Has anything changed in the bill that differentiates it from the version that was shot down? No, nothing has changed.
Ruppersberger explained that he and Rogers are both members of the "Gang of Eight," a group of elected officials who are given access to key intelligence information, and who are briefed on national security issues deemed too sensitive to be shared more broadly with the rest of Congress. He said he is often asked what keeps him awake at night, and one of his top responses is "cyber attacks."
But why submit the same legislation over again? Ruppersberger said that the threat landscape has changed since last year, and there is more support now for what they're trying to accomplish with CISPA. "We are being exposed, and these attacks are getting more aggressive--the Washington Post, the New York Times, the Wall Street Journal, I mean the Treasury Department, and it goes on...Aramco, 30,000 computers knocked out. They got a lot more aggressive."
One criticism of the bill concerns how much information private companies would share with the government. CISPA opponents want various types of data to be stripped or minimized before being sent to the government, but private companies don't want the added burden of trying to sift through data before sharing it.
Ruppersberger explained that the NSA already has the tools and technology for minimizing the data once the government receives it, and that this is an issue he believes can be worked through. Some of the other concerns related to CISPA are a matter of jurisdiction. Rogers and Ruppersberger are viewing the world through the lens of the House Permanent Select Committee on Intelligence, and they've crafted legislation to address the problems they see within the scope of that committee.
So where are we at now? The legislation must now go through mark-up and get through committee before it even has a possibility of being voted on. So there's still time to work through issues and negotiate compromises to address any remaining concerns.
CISPA demands a tough balancing act, but it's crucial to the economic and national security interests of the United States that we address the threat of cyber attacks. Neither the government nor private industry can tackle the problem alone, so legislation like CISPA is necessary to facilitate the kind of sharing and cooperation we need.
The views expressed in this article are those of the columnist, and not necessarily those of PCWorld.