Web

Beyond CISPA: The cybersecurity bills you need to worry about right now

Cybersecurity Act of 2012 SECURE IT Act

We’ve had a bit of a break from Congress’ cybersecurity legislative hoopla since the House passed the contentious Cyber Intelligence Sharing and Protection Act (CISPA) late last month. But with the Senate back from recess, the fight over Internet regulation is roarin’ and ready to roll.

Despite all the fears surrounding CISPA — a bill that would make it easier for the Federal government and businesses to share information (including users’ private communications) — the rumblings from Capitol Hill suggest that CISPA won’t even make it onto the Senate’s agenda, thanks to broad opposition from Senate Democrats and a veto threat from President Obama. (That’s right — you probably don’t have to worry about CISPA itself anymore, though that’s not saying much.) Instead, the Senate is expected to take up two alternative bills, the Cybersecurity Act of 2012 (CSA) sometime this week; and the SECURE IT Act, sometime this month.

Here is a (relatively) concise rundown of what these bills are, and why civil liberties advocates say they too threaten our individual privacy.

What is the Cybersecurity Act of 2012?

The Cybersecurity Act of 2012 (officially known as S. 2105, and often referred to in the press as the “Lieberman-Collins bill”) seeks to establish robust security standards to protect against “cyber threats,” with a particular emphasis on the protection of “critical infrastructure” networks in the U.S, such as electrical grids and air traffic control systems. Companies that operate such systems, assets, or networks would be required to prove to the government that they have certain safeguards in place to protect against cyberattacks.

Like CISPA, CSA also removes certain legal barriers to allow for greater information sharing between the government and the private sector. Finally, CSA establishes the Department of Homeland Security (DHS) as the Federal government’s lead agency for controlling the cybersecurity infrastructure.

Read the CRS summary of CSA here. Or read the full text here.

CSA was introduced to the Senate on February 14 by Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-CT), Ranking Member Susan Collins (R-ME), Commerce Committee Chairman Jay Rockefeller (D-WV), and Select Intelligence Committee Chairman Dianne Feinstein (D-CA). Only one other senator, Sen. Sheldon Whitehouse (D-RI), has co-sponsored the bill since its introduction, though it has explicit support from Senate Majority Leader Harry Reid (D-NV), and the Obama White House.

What is the SECURE IT Act?

Officially known as S. 2151 in the Senate, and H.R.4263 in the House, SECURE IT is a direct response to CSA. Like CSA and CISPA, both the Senate and House versions of SECURE IT remove legal barriers to allow for greater sharing of information between the government and businesses. Unlike CSA, however, SECURE IT does not establish a governmental regulatory system to oversee cybersecurity threats or to make sure that security standards are in place for critical infrastructure. Instead, SECURE IT provides a number of incentives to companies that choose to share “cyber threat information” with the Federal government.

Furthermore, SECURE IT establishes criminal penalties for a wide range of cybercrimes, from “trafficking in passwords” to causing damage to critical infrastructure networks or systems.

SECURE IT was first introduced by Sen. John McCain (R-AZ), and has seven co-sponsors in the Senate, all top-ranking Republicans. In the House, SECURE IT was introduced by Rep. Mary Bono Mack (R-CA), and has one co-sponsor.

Read the full text of S. 2151 here, and the full text of H.R. 4263 here.

What is the difference between the Cybersecurity Act of 2012 and SECURE IT?

Two words: government regulation.

The fight over these two bills is classic Washington bi-partisanship. The Democrat-backed CSA establishes a governmental regulatory apparatus that would put in place certain mandatory security measures that private companies (specifically those that deal with critical infrastructure) would have to meet. While some say that CSA doesn’t go far enough towards enforcing these standards, Republicans don’t like this “big government” approach to cybersecurity at all. SECURE IT’s chief sponsor, Sen. John McCain, has called CSA a “regulatory leviathan.” And critics in the private sector insist that CSA would put harmful burdens on businesses.

There are, however, quite a few key differences in the eyes of critics, which I’ll get into below.

What do civil liberty advocates have to say about these bills?

They are against both of them. (Surprise!) This week, more than two dozen groups signed on to two separate (but very similar) letters decrying CSA and SECURE IT. Their points of contention with these two bills often echo one another, but do differ to varying degrees. The letters are both worth reading in full (here, here), but here is a concise-as-possible list of their complaints:

Sharing personally identifiable information

CSA: Actually, CSA is better than either SECURE IT or CISPA on this point, as it requires that companies make every “reasonable” effort to strip shared data of personally identifiable information. However, the ACLU says that this still does not go far enough to protect private information.

SECURE IT: Critics say SECURE IT has no “meaningful requirements to ensure that private information is anonymized,” and would actually allow companies “to share the virtually limitless category of private information that ‘fosters situational awareness'” for U.S. security purposes.

Privacy law overrides

CSA: As with CISPA, CSA effectively overrides all other privacy laws to allow companies to share “communications and records” with the government, even if that information has nothing to do with cyber threats.

SECURE IT: SECURE IT does basically the same thing for privacy laws, and also overrides tort laws.

Sharing with the military

CSA: Under CSA, the Department of Homeland Security would establish which government agencies may access information shared under the legislation. CSA allows DHS to designate the National Security Agency (NSA), and other military agencies with little to no public oversight, as “exchanges” of this information — something civil liberties groups say is unacceptable. (This also remains a primary complaint against CISPA.)

SECURE IT: Not only does SECURE IT allow the NSA and other defence agencies to access private information shared under the legislation — it requires it. All information shared under SECURE IT must be immediately shared with the NSA and other military organizations, “thereby nullifying a company’s choice to share user or customer information with a civilian, rather than a military agency.”

Using data for other crimes

CSA: This is perhaps one of the most problematic parts of CSA. Information shared under the legislation may be used for any other criminal investigation — even those that have absolutely nothing to do with cybersecurity — as long as the information “appears to relate to a crime which has been, is being, or is about to be committed.” This, critics say, is a direct attack on the Fourth Amendment requirements for warrants and other privacy safeguards.

SECURE IT: Less extreme than CSA on this point, SECURE IT still allows the government to use information shared under the legislation for “many other crimes” unrelated to cybersecurity, especially many “for which a wiretap may be used.” Again, critics say this is detrimental to our Fourth Amendment protections.

Company liability

CSA: Companies that share information with the government under CSA are granted legal immunity (meaning they cannot be sued or charged with criminal offenses) for doing so. By giving companies this immunity, CSA eliminates their ability to offer meaningful privacy guarantees to users, or to compete with each other by offering better protections than their competitors. It also takes away users’ or customers’ ability to sue these companies for sharing their information with the Federal government.

SECURE IT: The exact same complaint exists for SECURE IT.

In short, both CSA and SECURE IT share many of the same complaints against CISPA, to a greater or lesser degree, depending on which part of the bills you’re looking at. This (above) is only a portion of the complaints made by rights advocates, so it is definitely worth reading both the full text of these bills (warning: they are very, very long), as well as the letters, if you want to have a thorough understanding of the issues at play. Also, the Electronic Frontier Foundation (EFF), one of the organizations that signed both of the letters mentioned above, goes into much greater detail about the problems with these bills here.

Do we really need cybersecurity legislation?

According to those in Congress, the answer is a resounding “YES! For the love of all that is good in this world, YES!”

Or, as Sen. Lieberman explains: “This bill would begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation’s enemies, organized criminal gangs, and terrorists who would use the Internet against us as surely as they turned airliners into guided missiles. The nation responded after 9/11 to improve its security. Now we must respond to this challenge so that a cyber 9/11 attack on America never happens.”

This “cyber 9/11” line is one that has been used by nearly all those pushing cybersecurity legislation — CSA, SECURE IT and CISPA alike. No surprise there, since the scare tactic seems to be working. Wired points out a new study by Unisys (pdf), which shows that more Americans now view cyberattacks as a greater threat to the country than terrorism — a rather amazing thing, considering the years of terrorism fear-mongering that those of us in the U.S. have gone through since the final months of 2001.

That said, even organizations like the Center for Democracy and Technology (CDT) — a key player in the fight against CISPA — say that greater safeguards against cyberattacks are needed. It is impossible to say at the moment, however, whether the threats are genuinely as serious as the politicians make them out to be, or whether legislation like CSA or SECURE IT is needed to protect against those threats.

What happens next?

Neither CSA nor SECURE IT have yet been placed on the Senate’s agenda, though it is widely believed that CSA will come up for consideration on the Senate floor sometime this week. SECURE IT, which does not have the support of Majority Leader Harry Reid, will likely go up for a vote sometime later in the month. (There is no timeframe yet for the House version of SECURE IT going up for a full vote.)

If either CSA or SECURE IT pass, the legislation will then likely be reconciled with CISPA (if CISPA is brought forth at all) before it can go to President Obama’s desk for his signature (or veto, as the case may be). However, the Republican-controlled House has indicated repeatedly that it will not pass a bill that imposes great government regulation, which would likely cause problems for CSA. In the end, it may be Obama’s veto pen — or lack thereof — that decides the future of our online privacy.

Have questions about CSA, SECURE IT, or CISPA? Hit me up on Twitter: @andrewcouts. I’ll do my best to find quality answers for you right away.

Mobile

Huawei’s Eyewear smartglasses aim to fuse fashion and tech

At its launch event for the new P30 and P30 Pro smartphones, Huawei surprised us with a pair of smart glasses. Created through a partnership with Gentle Monster, these glasses are designed to be stylish and act like a Bluetooth headset.
Computing

Own an Asus computer? Malware might be hiding in your system

If you own an Asus computer, your system might have been infected by malware distributed from the tool you typically use to update the BIOS and install other security patches, according to a new report by cybersecurity firm Kaspersky Lab.
Computing

Worried about your online privacy? We tested the best VPN services

Browsing the web can be less secure than most users would hope. If that concerns you, a virtual private network — aka a VPN — is a decent solution. Check out a few of the best VPN services on the market.
Computing

Don’t be fooled! Study exposes most popular phishing email subject lines

Phishing emails are on the rise and a new study out by the cybersecurity company Barracuda has exposed some of the most common phishing email subject lines used to exploit businesses. 
Computing

Want to save a webpage as a PDF? Just follow these steps

Need to quickly save and share a webpage? The best way is to learn how to save a webpage as a PDF file, as they're fully featured and can handle images and text with ease. Here's how.
Computing

Delete tracking cookies from your system by following these quick steps

Cookies are useful when it comes to saving your login credentials and other data, but they can also be used by advertisers to track your browsing habits across multiple sites. Here's how to clear cookies in the major browsers.
Mobile

You can now listen to Google Podcasts on your desktop without the app

The Google Podcasts app is no longer entirely necessary to listen to the podcasts it offers. With a simple tweak of the sharing URL, you can listen to a Google Podcasts podcast on your desktop or laptop without the app.
Social Media

A Facebook, Instagram bug exposed millions of passwords to its employees

Facebook, Facebook Lite, and Instagram passwords weren't properly encrypted and could be viewed by employees, the company said Thursday. The network estimates millions of users were affected.
Computing

Get ready to say goodbye to some IFTTT support in Gmail by March 31

If This Then That, the popular automation service, will drop some of its support for Gmail by March 31. The decision comes as a response to security concerns and is aimed to protect user data.
News

Drunk shoppers spend $48B per year while intoxicated, mostly on Amazon

Drunk shoppers spend more than $400 per year, according to the results of a survey carried out by The Hustle. The drunk shopping industry is apparently worth $48 billion, and Amazon is turning out to be the biggest beneficiary.
Computing

Our favorite Chrome themes add some much-needed pizzazz to your boring browser

Sometimes you just want Chrome to show a little personality and ditch the grayscale for something a little more lively. Lucky for you, we've sorted through the Chrome Web Store to find best Chrome themes available.
Computing

Need a free alternative to Adobe Illustrator? Here are our favorites

Photoshop and other commercial tools can be expensive, but drawing software doesn't need to be. The best free drawing software is just as powerful as some of the more expensive offerings.
Movies & TV

Apple’s next big event is minutes away: Here’s what you can expect

Apple's next big event takes place on March 25 in Cupertino, California. The company is expected to make several announcements related to its services, including Apple TV, so follow our guide to get ready for the big event.
Mobile

Apple Card is a credit card you can sign up for and start using with your iPhone

Apple is getting into the credit card business. Apple Card is a credit card you can sign up for directly on your iPhone, and it doesn't have fees. There's a lower interest rate and you can even get Daily Cash from all purchases.