CISPA: is this major cybersecurity legislation an online privacy overreach?

How and why American companies partner with the U.S. government to fight computer hacks into their private networks by, let’s say, the Chinese government, is at the heart of federal legislation due for a House vote in Congress this month. The Maryland cybersecurity community is following closely to what could be the first comprehensive look at digital warfare. But is this another vague overreach into Internet freedom, like the PIPA and SOPA firestorm of 2011?

The Cyber Intelligence Sharing and Protection Act, reintroduced earlier this year after a failed attempt last year, seeks to amend the National Security Act of 1947 by including cyber threat intelligence. If passed into law, private companies could voluntarily share with the federal government cyber threat information and intelligence.
Private companies that are hacked could pass along information about the attack—IP addresses used to the launch the attack, for instance, or the addresses of command servers controlling botnets. The information would be sent to and coordinated by the cybersecurity center of the Department of Homeland Security, and be accessible by the National Security Agency and many other federal-level government agencies, offices and departments.
With growing concern about warfare, terrorism and corporate espionage happening online through the security weaknesses of a corporation or government computer network, there is widespread agreement that there needs to be a clearer strategy for the U.S. government’s role. But, as was debated by privacy activists about other online communication legislation in recent years, the question now being considered is if CISPA is important enough to overcome opposition or still seen as broad enough to be dangerous.
Watch Michigan Congressman Mike Rogers, who first introduced CISPA, discuss cyber threats in February on “Face the Nation”:
http://cnettv.cnet.com/av/video/cbsnews/atlantis2/cbsnews_player_embed.swf
With the bill set for final markup in closed-door committee hearings this week, and a general vote on the floor of the House of Representatives imminent, privacy and civil liberties groups are continuing anti-CISPA efforts they’ve coordiated around perceived attacks to the openness of the web.
As groups like the American Civil Liberties Union did when CISPA was first put to a vote in Congress in spring 2012, civil liberties advocates have aligned in opposition:

• In February, 300,000 online signatures were e-mailed to the House Intelligence Committee.
• In March, form letters signed by more than 30 privacy and civil liberties organizations were mailed to House representatives.
• Since being reintroduced, CISPA has been pilloried and dissected in FAQs and blog posts by privacy groups and journalists alike.

Privacy groups maintain that CISPA, as written now, is vaguely worded, legally dubious and not protective of Internet users’ personally identifiable information (what’s known as PII), which is not needed to share relevant, actionable information about a host of harmful programs, like malware, that attack a computer’s or network’s security system.
Those three key objections, as they’re found in the CISPA bill:

1. Vague wording: Cybersecurity providers hired by private companies may “for cybersecurity purposes use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of” the private company. Nowhere in the bill, however, are the terms “cybersecurity purposes” or “cybersecurity systems” more precisely defined. See section (b)(1)(A)(i), pages 4 and 5.
2. Legally dubious: Cybersecurity providers may share cyber threat information with the federal government “notwithstanding any other law,” including laws like the Electronic Communications Privacy Act. Furthermore, provided private companies are “acting in good faith” when sharing cyber threat information, such companies are exempt from “civil or criminal” liability. See sections (5), (b)(1)(A) and (b)(1)(B), pages 4 and 5. Also see section (b)(4)(A), pages 8 and 9.
3. Not protective of PII: Section (c)(4), pages 11 and 12, prohibits the federal government from using eight different types of records “containing information that identifies a person,” including medical records and firearms sales records, that might be passed from a private company to the government. Not included in that list, however, is such information as personal e-mail messages and text messages.

Last spring, CISPA (originally introduced in 2011) managed to pass the House by a vote of 248 to 168 before a revised cybersecurity bill foundered in the Senate last summer.

As he was a year ago, Congressman Mike Rogers is unconvinced of the privacy objections. He told The Hill in March that “everyone agrees we need an information-sharing [measure] now.”
“He has been saying that he’s been negotiating with privacy advocates,” Mark M. Jaycox, a policy analyst with the Electronic Frontier Foundation, told Technically Baltimore. “At least with respect to EFF, we haven’t negotiated with [Rogers] at all.”
Also unconvinced of the objections raised by privacy groups is Dutch Ruppersberger, co-sponsor of CISPA, the ranking member of the House Intelligence Committee, and the Democratic representative from Maryland’s 2^nd Congressional District.
“Part of my role is to deal with the privacy issues, and I feel we have done this in the bill,” Ruppersberger said in March.

Ruppersberger occupies an interesting position with respect to any vote on CISPA and the federal government’s direction forward on cybersecurity. U.S. Cyber Command, Fort Meade, and the headquarters of the National Security Agency are all inside Ruppersberger’s district. In Maryland, whose national representatives lobby hard to bring defense dollars to this side of the Potomac River, cybersecurity represents a 19,000-person industry.
While Ruppersberger maintains that CISPA is about sharing “code, not content,” the specter of privacy infractions raised by civil liberties groups this year was what earned CISPA a veto threat from President Obama in 2012. Thanks to a We the People online petition with more than 108,000 signatures, the White House again will have to publish its thoughts about CISPA.
Chances seem good that CISPA will make its way through the House of Representatives once more. But if it passes the Senate, and ends up at the Oval Office, there’s still cause to hope for privacy advocates.
Said Jaycox: “We expect the president to issue a veto threat.”
This is part one of a Technically Baltimore series on CISPA.

• Read part two, on why CISPA is being reintroduced now, America’s “cyber war,” and broad liability protections for private companies sharing cyber threat information with the federal government.