The war over cyber war has sparked up once again. Last week, Washington saw not one but two major cybersecurity moves in the U.S. capital. On Tuesday, President Obama signed an executive order that gives federal agencies greater authority to share ‘cyber threat’ information with the public sector, a move the president touted in his State of the Union address. The same day, Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) reintroduced the Cyber Intelligence Sharing and Protection Act (CISPA), a hotly contested bill that passed the House last year, but died in the Senate.
Given the often vague nature of cybersecurity, the denseness of proposed legislation and executive orders, and the passion for these issues on both sides, some dispassionate clarification is due. Here’s a busy person’s guide to Washington’s big cybersecurity push.
What does President Obama’s executive order do?
Obama’s executive order aims to bolster cybersecurity protections for the nation’s ‘critical infrastructure’ networks – electrical grids, dams and other power stations, water supply companies, air traffic control, and financial institutions – through increased sharing of information. Specifically, it authorizes the government to provide companies that run critical infrastructure networks with “cyber threat information.”
“It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats,” the executive order reads.
The executive order also calls for the federal government to draft recommendations for ways in which critical infrastructure providers can protect themselves from cyber attacks. Companies would not, however, be required to abide by these recommendations. It will also clarify which government agencies will take part in cybersecurity efforts.
Read the full executive order here.
Does anybody think this is bad?
Not really. Pro-business think tank the Heritage Foundation praises parts of the order, but also says it’s too broad in scope, meaning it may rope in businesses that don’t really need to be involved (“like agriculture”). Heritage also worries that it won’t do a very good job of increasing sharing, and believes it may lead federal agencies to increase their regulatory reach.
Privacy advocates, however, believe the executive order strikes the right balance between increased security and protections for personal liberty, as it only allows sharing in one direction: from the government to businesses – a key distinction, as we’ll see further on.
“Two cheers for cybersecurity programs that can do something besides spy on Americans,” wrote the ACLU.
The biggest complaint concerns Obama’s use of executive orders in general, which critics say circumvents the checks and balances of our government. True as that may be, a public executive order is seen by some experts as better than one that’s kept a secret, as many have been in the past.
What does CISPA do?
Like Obama’s cybersecurity order, CISPA’s primary aim is to increase the sharing of cyber threat information (or CTI, as the cool kids call it). Unlike Obama’s order, however, CISPA allows the sharing of information in both directions – from government to business, and vice versa. Sharing is not required by the law, but it is allowed.
CISPA also provides broad legal immunity to companies that collect and share CTI with the federal government, as long as they do so “in good faith” – which might mean businesses can’t be sued or charged with crimes for collecting and sharing CTI under CISPA. Furthermore, CISPA shields the shared CTI from transparency mechanisms, like the Freedom of Information Act (FOIA).
Read the full text of CISPA here: PDF.
Does anyone think this is bad?
You betcha. Privacy advocates are particularly peeved by this bill because they fear it will let the government get its mitts on our private communications; because we won’t know what of our information is being shared, they say; and because it may take away our power to punish companies that collect and share the information they have on us.
“Our concern from day one has been that these combined power and immunity provisions would override existing privacy laws like the Wiretap Act and the Stored Communications Act,” wrote the Electronic Frontier Foundation (EFF). “Worse, the law provides immunity ‘for decisions made based on’ CTI. A rogue or misguided company could easily make bad ‘decisions’ that would do a lot more harm than good, and should not be immunized.”
As soon as CISPA’s return was announced a last week, a variety of Internet-centric civil liberties groups, including Demand Progress, Fight for the Future, EFF, Avaaz, ACLU, and Free Press, launched petitions against CISPA. On Thursday, Demand Progress and Fight for the Future delivered more than 300,000 signatures to the House Intelligence Committee in protest of CISPA. And more than 1 million people have signed anti-CISPA petitions so far.
CISPA co-sponsors, Reps. Rogers and Ruppersberger, are doing everything they can to tamp down concern over CISPA, arguing that the bill is not about spying on citizens, and that increased sharing of CTI between the public and private sectors is an no-brainer way to combat cyber threats.
On the business side, U.S. Telecom, a lobbyist group from Internet service providers; CTIA, the wireless industry’s lobbying arm; and AT&T have all come out in favor of CISPA – but we should expect far more support from the private sector. Last time around, hundreds of companies directly or indirectly (through their lobbying groups) voiced support for the bill, including tech giants like Facebook and IBM.
Why is this happening all happening now?
Because the people in our government are convinced cyber attacks are a serious problem, and getting worse. According to a December report from the Department of Homeland Security, cyber attacks on oil pipelines and electricity providers has risen 52 percent over last year. And the National Intelligence Estimate recently indicated that the U.S. is, as the Washington Post tells it, the “target of a massive, sustained cyber-espionage campaign that is threatening the country’s economic competitiveness.”
All of this comes in front of the backdrop of sustained hacks of The New York Times, Wall Street Journal, Washington Post, and Bloomberg News by Chinese hackers – high-profile attacks which put cybersecurity concerns more firmly in the public mind.