As Web users continue to lather themselves into a frothy rage over the Cyber Intelligence Sharing and Protection Act, better known as CISPA, the House Intelligence Committee revealed late Monday night that the bill’s co-sponsors are currently considering changes that they hope will cool down the opposition.
In a “general backgrounder” and “general Q&A” on the bill, which was distributed to reporters prior to a press conference call today, a number of “new provisions” — none of which have yet been approved — will purportedly address criticisms that the bill’s current language provides no repercussions for the misuse of information gathered as a result of CISPA, and that the bill would effectively militarize what is currently a task under civilian authority.
The first new provision under consideration would make the U.S. government liable for “damages, costs, and attorney’s fees in federal court action” if the government uses the information gathered under CISPA for any reason other than to protect American “networks or systems” from cyber threats, or if the government collects the data in any way other than through the voluntary hand-over by private companies.
As the Center for Democracy and Technology (CDT) notes, CISPA in its current form could be “could be used to prosecute an individual for any crime,” or “used to target him or her for intelligence surveillance.” The provision above is an attempt to diminish those concerns, as the government could be sued for doing either of those things.
Another concern of the CDT and other critics is that CISPA would allow the information collected under the legislation to be shared with any governmental body. The CDT is most concerned that this would include the National Security Agency, and the Department of Defense’s Cybercommand, both of which are military organizations and operate in almost complete secrecy. Currently, the U.S. government’s cybersecurity efforts are under the jurisdiction of the Department of Homeland Security (DHS), which is a civilian organization, and subject to far greater public scrutiny.
Under the next new provision, the DHS would “generally receive copies of all voluntarily shared cyber threat information for the purpose of ensuring that the information was shared for cybersecurity purposes.” Also, the DHS would be responsible for sharing that information with other parts of the federal government. Finally, neither the DOD, nor the Intelligence Community, would have the authority to require that private companies share information with them as a pre-requisite for receiving classified cyber threat intelligence.
Despite these new provisions, critics are still concerned that the bill’s definition of what constitutes a “cyber threat,” or a threat to national security, remain too broad, as any information could potentially be construed to fall into one of these two categories — especially considering that the bill blatantly defines a “cyber threat” as the “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”
CISPA’s chief co-sponsor Rep. Mike Rogers (R-MI), disagrees, repeatedly telling reporters during the conference call earlier today that the definition of “cyber threat” is “very limited,” and that the “intended” purpose of the bill is not to go after copyright infringers, but instead to combat against “nation states” like Russia and China who are intent on attacking U.S. businesses and infrastructure.
Another primary concern is that CISPA does not require companies to strip out personally identifying information from the information they share with the federal government — it only “encourages” that they do so, which is entirely different.
As you may have noticed, the primary concern here is CISPA’s broad language. That is to say, it is not what is in the bill that has people worried, it’s what’s NOT in the bill, like a narrower definition of which instances constitute “cyber threats” or “national security,” or explicit prohibitions on the sharing of private information.
Alas, the fight against CISPA will go on at least until the bill goes before the full House, which is expected to happen sometime in the last week of April. Civil liberties groups including the CDT, the Electronic Frontier Foundation, and the American Civil Liberties Union, are reportedly planning to launch a concerted campaign against CISPA sometime next week.
There is still time to fix CISPA, but few have much confidence in the Congress’ ability to craft legislation that will achieve the stated goals without posing new potential threats to privacy and civil liberties. During the conference call, Rep. Rogers and Rep. Dutch Ruppersberger (D-MD), the bill’s other chief sponsor, said that they are open to suggestions for how the bill can be improved. So perhaps there is still hope – but don’t count on it.