The Internet has a new enemy. The Cyber Intelligence Sharing and Protection Act of 2011 (CISPA), also known as H.R. 3523, is a “cybersecurity” bill in the House of Representatives. CISPA is quickly gaining traction as “the new SOPA,” the infamous anti-piracy bill that was forced to crawl back into its hole after thousands of websites and millions of Web users protested with a massive, high-profile “blackout.” While CISPA does not focus primarily on intellectual property (though that’s in there, too), critics say the problems with the bill run just as deep. But what is CISPA, really, and will its presence on Congress’ agenda cause the same type of online revolt that SOPA and PIPA did?
What is CISPA?
Unveiled to the House by Rep. Mike Rogers (R-MI) and Rep. C.A. “Dutch” Ruppersberger (D-MD) late last year, CISPA is described as a “cybersecurity” bill. It proposes to amend the National Security Act of 1947 to allow for greater sharing of “cyber threat intelligence” between the U.S. government and the private sector, or between private companies. The bill defines “cyber threat intelligence” as any information pertaining to vulnerabilities of, or threats to, networks or systems owned and operated by the U.S. government, or U.S. companies; or efforts to “degrade, disrupt, or destroy” such systems or networks; or the theft or “misappropriation” of any private or government information, including intellectual property.
CISPA also removes any liability from private companies who collect and share qualified information with the federal government, or with each other. Finally, it directs the Privacy and Civil Liberties Oversight Board to conduct annual reviews of the sharing and use of the collected information by the U.S. government.
Who supports CISPA?
The bill currently has a whopping 106 co-sponsors in the House — more than twice the number SOPA ever had. Also unlike SOPA, CISPA has explicit support from some of the technology industry’s biggest players, including Internet service providers like AT&T and Verizon, Web companies like Facebook, and hardware companies like IBM and Intel.
What CISPA supporters say it will do
According to Rep. Rogers, CISPA will help U.S. companies defend themselves “from advanced cyber threats, without imposing any new federal regulations or unfunded private sector mandate.” It will also create “new private sector jobs for cybersecurity professionals,” and protect “the thousands of jobs created by the American intellectual property that Chinese hackers are trying to steal every day.”
In a statement, Rep. Ruppersberger pushed his reasons for proposing the legislation, saying, “Without important, immediate changes to American cybersecurity policy, I believe our country will continue to be at risk for a catastrophic attack to our nation’s vital networks — networks that power our homes, provide our clean water or maintain the other critical services we use every day. This small but important piece of legislation is a decisive first step to tackle the cyber threats we face.”
Private companies like the bill because it removes some of the regulations that prevent them from sharing cyber threat information, or make it harder to do so. In short, they believe the bill will do exactly what its supporters in the House say it will do — help better protect them from cyber attacks.
What CISPA opponents are worried about
As with SOPA and PIPA, the first main concern about CISPA is its “broad language,” which critics fear allows the legislation to be interpreted in ways that could infringe on our civil liberties. The Center for Democracy and Technology sums up the problems with CISPA this way:
• The bill has a very broad, almost unlimited definition of the information that can be shared with government agencies notwithstanding privacy and other laws;
• The bill is likely to lead to expansion of the government’s role in the monitoring of private communications as a result of this sharing;
• It is likely to shift control of government cybersecurity efforts from civilian agencies to the military;
• Once the information is shared with the government, it wouldn’t have to be used for cybesecurity, but could instead be used for any purpose that is not specifically prohibited.
The Electronic Frontier Foundation (EFF) adds that CISPA’s definition of “cybersecurity” is so broad that “it leaves the door open to censor any speech that a company believes would ‘degrade the network.’” Moreover, the inclusion of “intellectual property” means that companies and the government would have “new powers to monitor and censor communications for copyright infringement.”
Furthermore, critics warn that CISPA gives private companies the ability to collect and share information about their customers or users with immunity — meaning we cannot sue them for doing so, and they cannot be charged with any crimes.
According to the EFF, CISPA “effectively creates a ‘cybersecurity’ exemption to all existing laws.”
“There are almost no restrictions on what can be collected and how it can be used, provided a company can claim it was motivated by ‘cybersecurity purposes,’” the EFF continues. “That means a company like Google, Facebook, Twitter, or AT&T could intercept your emails and text messages, send copies to one another and to the government, and modify those communications or prevent them from reaching their destination if it fits into their plan to stop cybersecurity threats.”
Is the Internet freaking out like it did over SOPA/PIPA?
Not yet — but it’s starting to. After TechDirt’s Mike Masnick — a widely followed and trusted source on matters of laws regarding technology, intellectual property, and how they might affect our civil rights — posted an article telling readers to “forget SOPA, you should be worried about this cybersecurity bill” earlier this week, concerned Web users have started to take notice. On Reddit, a community that is largely responsible for the push-back against SOPA/PIPA, an increasing number of posts (some accurate, some not) have popped up regarding the potential dangers of CISPA. Anonymous has also started to get in on the action, having released a “dox” on Rep. Rogers, and a video condemning the bill, earlier this week.
Will CISPA pass?
Nobody can say for sure, but at the moment, its passage looks likely. CISPA breezed through the House Intelligence Committee on December 1, 2011, with a bipartisan vote of 17-1. Also, as mentioned, the bill has broad support in the House, with 106 co-sponsors, 10 of whom are committee chairmen.
As with any piece of legislation, however, nothing is certain until the president signs the bill. And if the Internet community rises up in the same way it did against SOPA and PIPA, then you will certainly see support for CISPA crumble in Congress (it is an election year, after all). That said, whether or not the Internet will react with such force remains a big “if.”
Regardless of the value of CISPA, cyber threats are a real and serious problem, one that the U.S. government will address through legislative means. Civil liberty watchdogs are always going to be wary of any bill that could possibly threaten our privacy, or put us at the mercy of corporations and the federal government. However, CISPA does have all the problems critics claim it has, and Web users should be paying critical attention to the bill.
Remember: opposing this particular bill, or others with similar problems, is not the same as a disregard for our cybersecurity, or national security — which is precisely how CISPA supporters in Congress will attempt to frame the opposition, if or when it gathers steam.