Beyond CISPA: The cybersecurity bills you need to worry about right now

Cybersecurity Act of 2012 SECURE IT Act

We’ve had a bit of a break from Congress’ cybersecurity legislative hoopla since the House passed the contentious Cyber Intelligence Sharing and Protection Act (CISPA) late last month. But with the Senate back from recess, the fight over Internet regulation is roarin’ and ready to roll.

Despite all the fears surrounding CISPA — a bill that would make it easier for the Federal government and businesses to share information (including users’ private communications) — the rumblings from Capitol Hill suggest that CISPA won’t even make it onto the Senate’s agenda, thanks to broad opposition from Senate Democrats and a veto threat from President Obama. (That’s right — you probably don’t have to worry about CISPA itself anymore, though that’s not saying much.) Instead, the Senate is expected to take up two alternative bills, the Cybersecurity Act of 2012 (CSA) sometime this week; and the SECURE IT Act, sometime this month.

Here is a (relatively) concise rundown of what these bills are, and why civil liberties advocates say they too threaten our individual privacy.

What is the Cybersecurity Act of 2012?

The Cybersecurity Act of 2012 (officially known as S. 2105, and often referred to in the press as the “Lieberman-Collins bill”) seeks to establish robust security standards to protect against “cyber threats,” with a particular emphasis on the protection of “critical infrastructure” networks in the U.S, such as electrical grids and air traffic control systems. Companies that operate such systems, assets, or networks would be required to prove to the government that they have certain safeguards in place to protect against cyberattacks.

Like CISPA, CSA also removes certain legal barriers to allow for greater information sharing between the government and the private sector. Finally, CSA establishes the Department of Homeland Security (DHS) as the Federal government’s lead agency for controlling the cybersecurity infrastructure.

Read the CRS summary of CSA here. Or read the full text here.

CSA was introduced to the Senate on February 14 by Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-CT), Ranking Member Susan Collins (R-ME), Commerce Committee Chairman Jay Rockefeller (D-WV), and Select Intelligence Committee Chairman Dianne Feinstein (D-CA). Only one other senator, Sen. Sheldon Whitehouse (D-RI), has co-sponsored the bill since its introduction, though it has explicit support from Senate Majority Leader Harry Reid (D-NV), and the Obama White House.

What is the SECURE IT Act?

Officially known as S. 2151 in the Senate, and H.R.4263 in the House, SECURE IT is a direct response to CSA. Like CSA and CISPA, both the Senate and House versions of SECURE IT remove legal barriers to allow for greater sharing of information between the government and businesses. Unlike CSA, however, SECURE IT does not establish a governmental regulatory system to oversee cybersecurity threats or to make sure that security standards are in place for critical infrastructure. Instead, SECURE IT provides a number of incentives to companies that choose to share “cyber threat information” with the Federal government.

Furthermore, SECURE IT establishes criminal penalties for a wide range of cybercrimes, from “trafficking in passwords” to causing damage to critical infrastructure networks or systems.

SECURE IT was first introduced by Sen. John McCain (R-AZ), and has seven co-sponsors in the Senate, all top-ranking Republicans. In the House, SECURE IT was introduced by Rep. Mary Bono Mack (R-CA), and has one co-sponsor.

Read the full text of S. 2151 here, and the full text of H.R. 4263 here.

What is the difference between the Cybersecurity Act of 2012 and SECURE IT?

Two words: government regulation.

The fight over these two bills is classic Washington bi-partisanship. The Democrat-backed CSA establishes a governmental regulatory apparatus that would put in place certain mandatory security measures that private companies (specifically those that deal with critical infrastructure) would have to meet. While some say that CSA doesn’t go far enough towards enforcing these standards, Republicans don’t like this “big government” approach to cybersecurity at all. SECURE IT’s chief sponsor, Sen. John McCain, has called CSA a “regulatory leviathan.” And critics in the private sector insist that CSA would put harmful burdens on businesses.

There are, however, quite a few key differences in the eyes of critics, which I’ll get into below.

What do civil liberty advocates have to say about these bills?

They are against both of them. (Surprise!) This week, more than two dozen groups signed on to two separate (but very similar) letters decrying CSA and SECURE IT. Their points of contention with these two bills often echo one another, but do differ to varying degrees. The letters are both worth reading in full (here, here), but here is a concise-as-possible list of their complaints:

Sharing personally identifiable information

CSA: Actually, CSA is better than either SECURE IT or CISPA on this point, as it requires that companies make every “reasonable” effort to strip shared data of personally identifiable information. However, the ACLU says that this still does not go far enough to protect private information.

SECURE IT: Critics say SECURE IT has no “meaningful requirements to ensure that private information is anonymized,” and would actually allow companies “to share the virtually limitless category of private information that ‘fosters situational awareness'” for U.S. security purposes.

Privacy law overrides

CSA: As with CISPA, CSA effectively overrides all other privacy laws to allow companies to share “communications and records” with the government, even if that information has nothing to do with cyber threats.

SECURE IT: SECURE IT does basically the same thing for privacy laws, and also overrides tort laws.

Sharing with the military

CSA: Under CSA, the Department of Homeland Security would establish which government agencies may access information shared under the legislation. CSA allows DHS to designate the National Security Agency (NSA), and other military agencies with little to no public oversight, as “exchanges” of this information — something civil liberties groups say is unacceptable. (This also remains a primary complaint against CISPA.)

SECURE IT: Not only does SECURE IT allow the NSA and other defence agencies to access private information shared under the legislation — it requires it. All information shared under SECURE IT must be immediately shared with the NSA and other military organizations, “thereby nullifying a company’s choice to share user or customer information with a civilian, rather than a military agency.”

Using data for other crimes

CSA: This is perhaps one of the most problematic parts of CSA. Information shared under the legislation may be used for any other criminal investigation — even those that have absolutely nothing to do with cybersecurity — as long as the information “appears to relate to a crime which has been, is being, or is about to be committed.” This, critics say, is a direct attack on the Fourth Amendment requirements for warrants and other privacy safeguards.

SECURE IT: Less extreme than CSA on this point, SECURE IT still allows the government to use information shared under the legislation for “many other crimes” unrelated to cybersecurity, especially many “for which a wiretap may be used.” Again, critics say this is detrimental to our Fourth Amendment protections.

Company liability

CSA: Companies that share information with the government under CSA are granted legal immunity (meaning they cannot be sued or charged with criminal offenses) for doing so. By giving companies this immunity, CSA eliminates their ability to offer meaningful privacy guarantees to users, or to compete with each other by offering better protections than their competitors. It also takes away users’ or customers’ ability to sue these companies for sharing their information with the Federal government.

SECURE IT: The exact same complaint exists for SECURE IT.

In short, both CSA and SECURE IT share many of the same complaints against CISPA, to a greater or lesser degree, depending on which part of the bills you’re looking at. This (above) is only a portion of the complaints made by rights advocates, so it is definitely worth reading both the full text of these bills (warning: they are very, very long), as well as the letters, if you want to have a thorough understanding of the issues at play. Also, the Electronic Frontier Foundation (EFF), one of the organizations that signed both of the letters mentioned above, goes into much greater detail about the problems with these bills here.

Do we really need cybersecurity legislation?

According to those in Congress, the answer is a resounding “YES! For the love of all that is good in this world, YES!”

Or, as Sen. Lieberman explains: “This bill would begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation’s enemies, organized criminal gangs, and terrorists who would use the Internet against us as surely as they turned airliners into guided missiles. The nation responded after 9/11 to improve its security. Now we must respond to this challenge so that a cyber 9/11 attack on America never happens.”

This “cyber 9/11” line is one that has been used by nearly all those pushing cybersecurity legislation — CSA, SECURE IT and CISPA alike. No surprise there, since the scare tactic seems to be working. Wired points out a new study by Unisys (pdf), which shows that more Americans now view cyberattacks as a greater threat to the country than terrorism — a rather amazing thing, considering the years of terrorism fear-mongering that those of us in the U.S. have gone through since the final months of 2001.

That said, even organizations like the Center for Democracy and Technology (CDT) — a key player in the fight against CISPA — say that greater safeguards against cyberattacks are needed. It is impossible to say at the moment, however, whether the threats are genuinely as serious as the politicians make them out to be, or whether legislation like CSA or SECURE IT is needed to protect against those threats.

What happens next?

Neither CSA nor SECURE IT have yet been placed on the Senate’s agenda, though it is widely believed that CSA will come up for consideration on the Senate floor sometime this week. SECURE IT, which does not have the support of Majority Leader Harry Reid, will likely go up for a vote sometime later in the month. (There is no timeframe yet for the House version of SECURE IT going up for a full vote.)

If either CSA or SECURE IT pass, the legislation will then likely be reconciled with CISPA (if CISPA is brought forth at all) before it can go to President Obama’s desk for his signature (or veto, as the case may be). However, the Republican-controlled House has indicated repeatedly that it will not pass a bill that imposes great government regulation, which would likely cause problems for CSA. In the end, it may be Obama’s veto pen — or lack thereof — that decides the future of our online privacy.

Have questions about CSA, SECURE IT, or CISPA? Hit me up on Twitter: @andrewcouts. I’ll do my best to find quality answers for you right away.


Apple Maps boosts Flyover locations, indoor mall maps, and more

In a boost for Apple Maps, the tech company has recently added more than 50 new locations for Flyover, the feature that offers spectacular 3D photo views of particular cities and famous landmarks around the world.

Android vs. iOS: Which smartphone platform is the best?

If you’re trying to choose a new phone and you’re not sure about the merits and pitfalls of the leading smartphone operating systems, then come on in for a detailed breakdown as we pit Android vs. iOS in various categories.
Home Theater

The best movies on Netflix in December, from 'Buster Scruggs’ to 'Roma'

Save yourself from hours wasted scrolling through Netflix's massive library by checking out our picks for the streamer's best movies available right now, whether you're into explosive action, witty humor, or anything else.
Movies & TV

The best shows on Netflix, from 'Haunting of Hill House’ to ‘Norsemen’

Looking for a new show to binge? Lucky for you, we've curated a list of the best shows on Netflix, whether you're a fan of outlandish anime, dramatic period pieces, or shows that leave you questioning what lies beyond.

Make a GIF of your favorite YouTube video with these great tools

Making a GIF from a YouTube video is easier today than ever, but choosing the right tool for the job isn't always so simple. In this guide, we'll teach you how to make a GIF from a YouTube video with our two favorite online tools.

Google has found a clever way to make your search history more useful

Google has found a clever way to make more use of your search history by showing links to pages you've visited before. Ideal for repeat searches for the same page, the links show up on cards at the top of mobile search results.
Smart Home

Booth babes, banned sex toys, and other mishaps at CES 2019

From female sex toys bans, to fake Tesla/robot collision stories, there was some weird stuff going on at CES 2019 this year. Here are some of the biggest mishaps and flubs at the world's biggest tech show.

Shutdown makes dozens of .gov websites insecure due to expired TLS certificates

The US government shutdown is causing trouble in internet security. As the shutdown enters day 22, dozens of government websites have been rendered insecure or inaccessible due to expired transport layer security (TLS) certificates.

Our favorite Chrome themes add some much-needed pizzazz to your boring browser

Sometimes you just want Chrome to show a little personality and ditch the grayscale for something a little more lively. Lucky for you, we've sorted through the Chrome Web Store to find best Chrome themes available.
Social Media

A quick swipe will soon let you keep bingeing YouTube on mobile devices

The YouTube mobile app has a new, faster way to browse: Swiping. Once the update rolls out, users can swipe to go to the next (or previous) video in the recommended list, even while viewing in full screen.

Switch up your Reddit routine with these interesting, inspiring, and zany subs

So you've just joined the wonderful world of Reddit and want to explore it. With so many subreddits, however, navigating the "front page of the internet" can be daunting. Here are some of the best subreddits to get you started.

Cathay Pacific messes up first-class ticket prices — again

A couple of weeks ago, an error on Cathay Pacific's website resulted in first-class seats selling for a tenth of the price. On Sunday, January 13, the airline made the error again. The good news is that it'll honor the bookings.

Reluctant to give your email address away? Here's how to make a disposable one

Want to sign up for a service without the risk of flooding your inbox with copious amounts of spam and unwanted email? You might want to consider using disposable email addresses via one of these handy services.
Social Media

YouTube to crack down on dangerous stunts like the ‘Bird Box’ challenge

YouTube already bans content showing dangerous activities, but new rules published by the site go into greater detail regarding potentially harmful challenges and pranks, including certain blindfold- or laundry detergent-based stunts.