Lock and load, Internet rights warriors – CISPA is coming back from the dead.
The Cyber Intelligence Sharing and Protection Act, or CISPA – one of 2012’s most reviled pieces of Internet-related legislation – is expected to be reintroduced to the House of Representatives on Wednesday by Rep. Mike Rogers (R-MI), chairman of the House Intelligence Committee, and ranking Democrat Rep. Dutch Ruppersberger of Maryland. Needless to say, Internet rights advocates have already started prepping for a battle with the undead.
CISPA’s stated purpose is to make U.S.-based computer systems safer by the federal government and private businesses sharing information. But rights groups say the bill would trample our Fourth Amendment right against “unreasonable searches and seizures,” because our information could theoretically be passed on to shadowy government organizations like the National Security Agency, and the Department of Defense. (That is to say, more than it is already.)
The version of CISPA set for reintroduction this week is not yet public, but reports indicated that it will be more or less a duplicate of the previous version (PDF), which passed the House last year after the addition of numerous amendments, but later died in the Senate. If the new CISPA is identical to the old CISPA, the bill would override all existing privacy laws to make it easier for the government to share classified “cyber threat” data with businesses, and for businesses to share information about their customers and users without threat of committing a crime or losing out in a lawsuit, for purposes of “cybersecurity” or “national security” – a term so vague that it could mean almost anything.
“Companies that share information would get complete liability protection, meaning they would no longer be held accountable by their customers or even the government if they negligently or recklessly mishandle information,” wrote Michelle Richardson in The Hill last April. “Once in government hands, information can be used for any lawful purpose so long as a significant purpose is cybersecurity or national security.”
Lay of the land
Soon after the first report of CISPA’s return hit the Web, rights group Fight for the Future launched CISPAIsBack.com, which urges people to sign a petition in protest of Zombie CISPA, and to call Members of the House Intelligence Committee to let them know “that voters don’t support this bill.” At the time of this writing, some 28,000 people have signed the petition, according to the group.
As impressive as that may be, I expect that the fight against Zombie CISPA will take place on a far muckier battlefield this year thanks to a recent wave of high-profile cyberattacks. Just last week, The New York Times, the Wall Street Journal, and other news organizations reported cyberattacks on their networks and reporters’ email accounts by actors in China. And on Sunday, the Washington Post reported that U.S. National Intelligence Estimate recently concluded that the U.S. is a primary target of “cyber-espionage” that is “threatening the country’s economic competitiveness.”
Additionally, Rep. Rogers took to CBS News’ “Face the Nation” to sell his forthcoming bill.
“We’re getting robbed every single day,” said Rogers of current U.S. cybersecurity preparedness. “We have, as the U.S. government, set up lawn chairs, told the burglars where the silver is – in the bottom drawer – and opened the case of beer and watched them do it.”
In short: Anyone who is paying cursory attention to cybersecurity-related news likely knows two things: We are getting attacked on a regular basis. And Members of Congress are trying to do something about it. They may be thinking, in other words, that CISPA is a good idea. Add this to the fact that, last time around, some 800 companies, including technology giants like Facebook and IBM, either directly or indirectly supported CISPA, and the anti-CISPA crowd faces an even steeper uphill battle this year – a battle that they did not win last time, anyway.
Until we see the exact text of Zombie CISPA, it is impossible to assess the bill. But if this is the first you’re hearing about it, remember this: We are under attack. We do need to improve our cybersecurity legislation. But CISPA is probably not the right way to go about it.
Overall, it is still too soon to know how concerned we should be about Zombie CISPA. This uncertainty is amplified due to the fact that, according to The Hill, President Obama is expected to issue a long-anticipated executive order on Wednesday that would set cybersecurity standards for critical infrastructure networks, and make it less risky for businesses to share information about malware and other cyber threats with the government, without fear that they will take a hit in reputation or on the stock market for being seen as vulnerable to attack. If that happens, CISPA may be the least of our worries – or get shelved entirely.
Regardless of what happens on Wednesday, I believe the proper path to effective and constitutional cybersecurity policy requires all parties involved to take a deep breath, and resist the urge to freak out. Measured approaches on both sides of the debate are essential. Gut reactions are not.