Beyond CISPA: The cybersecurity bills you need to worry about right now

Cybersecurity Act of 2012 SECURE IT Act

We’ve had a bit of a break from Congress’ cybersecurity legislative hoopla since the House passed the contentious Cyber Intelligence Sharing and Protection Act (CISPA) late last month. But with the Senate back from recess, the fight over Internet regulation is roarin’ and ready to roll.

Despite all the fears surrounding CISPA — a bill that would make it easier for the Federal government and businesses to share information (including users’ private communications) — the rumblings from Capitol Hill suggest that CISPA won’t even make it onto the Senate’s agenda, thanks to broad opposition from Senate Democrats and a veto threat from President Obama. (That’s right — you probably don’t have to worry about CISPA itself anymore, though that’s not saying much.) Instead, the Senate is expected to take up two alternative bills, the Cybersecurity Act of 2012 (CSA) sometime this week; and the SECURE IT Act, sometime this month.

Here is a (relatively) concise rundown of what these bills are, and why civil liberties advocates say they too threaten our individual privacy.

What is the Cybersecurity Act of 2012?

The Cybersecurity Act of 2012 (officially known as S. 2105, and often referred to in the press as the “Lieberman-Collins bill”) seeks to establish robust security standards to protect against “cyber threats,” with a particular emphasis on the protection of “critical infrastructure” networks in the U.S, such as electrical grids and air traffic control systems. Companies that operate such systems, assets, or networks would be required to prove to the government that they have certain safeguards in place to protect against cyberattacks.

Like CISPA, CSA also removes certain legal barriers to allow for greater information sharing between the government and the private sector. Finally, CSA establishes the Department of Homeland Security (DHS) as the Federal government’s lead agency for controlling the cybersecurity infrastructure.

Read the CRS summary of CSA here. Or read the full text here.

CSA was introduced to the Senate on February 14 by Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman (I-CT), Ranking Member Susan Collins (R-ME), Commerce Committee Chairman Jay Rockefeller (D-WV), and Select Intelligence Committee Chairman Dianne Feinstein (D-CA). Only one other senator, Sen. Sheldon Whitehouse (D-RI), has co-sponsored the bill since its introduction, though it has explicit support from Senate Majority Leader Harry Reid (D-NV), and the Obama White House.

What is the SECURE IT Act?

Officially known as S. 2151 in the Senate, and H.R.4263 in the House, SECURE IT is a direct response to CSA. Like CSA and CISPA, both the Senate and House versions of SECURE IT remove legal barriers to allow for greater sharing of information between the government and businesses. Unlike CSA, however, SECURE IT does not establish a governmental regulatory system to oversee cybersecurity threats or to make sure that security standards are in place for critical infrastructure. Instead, SECURE IT provides a number of incentives to companies that choose to share “cyber threat information” with the Federal government.

Furthermore, SECURE IT establishes criminal penalties for a wide range of cybercrimes, from “trafficking in passwords” to causing damage to critical infrastructure networks or systems.

SECURE IT was first introduced by Sen. John McCain (R-AZ), and has seven co-sponsors in the Senate, all top-ranking Republicans. In the House, SECURE IT was introduced by Rep. Mary Bono Mack (R-CA), and has one co-sponsor.

Read the full text of S. 2151 here, and the full text of H.R. 4263 here.

What is the difference between the Cybersecurity Act of 2012 and SECURE IT?

Two words: government regulation.

The fight over these two bills is classic Washington bi-partisanship. The Democrat-backed CSA establishes a governmental regulatory apparatus that would put in place certain mandatory security measures that private companies (specifically those that deal with critical infrastructure) would have to meet. While some say that CSA doesn’t go far enough towards enforcing these standards, Republicans don’t like this “big government” approach to cybersecurity at all. SECURE IT’s chief sponsor, Sen. John McCain, has called CSA a “regulatory leviathan.” And critics in the private sector insist that CSA would put harmful burdens on businesses.

There are, however, quite a few key differences in the eyes of critics, which I’ll get into below.

What do civil liberty advocates have to say about these bills?

They are against both of them. (Surprise!) This week, more than two dozen groups signed on to two separate (but very similar) letters decrying CSA and SECURE IT. Their points of contention with these two bills often echo one another, but do differ to varying degrees. The letters are both worth reading in full (here, here), but here is a concise-as-possible list of their complaints:

Sharing personally identifiable information

CSA: Actually, CSA is better than either SECURE IT or CISPA on this point, as it requires that companies make every “reasonable” effort to strip shared data of personally identifiable information. However, the ACLU says that this still does not go far enough to protect private information.

SECURE IT: Critics say SECURE IT has no “meaningful requirements to ensure that private information is anonymized,” and would actually allow companies “to share the virtually limitless category of private information that ‘fosters situational awareness'” for U.S. security purposes.

Privacy law overrides

CSA: As with CISPA, CSA effectively overrides all other privacy laws to allow companies to share “communications and records” with the government, even if that information has nothing to do with cyber threats.

SECURE IT: SECURE IT does basically the same thing for privacy laws, and also overrides tort laws.

Sharing with the military

CSA: Under CSA, the Department of Homeland Security would establish which government agencies may access information shared under the legislation. CSA allows DHS to designate the National Security Agency (NSA), and other military agencies with little to no public oversight, as “exchanges” of this information — something civil liberties groups say is unacceptable. (This also remains a primary complaint against CISPA.)

SECURE IT: Not only does SECURE IT allow the NSA and other defence agencies to access private information shared under the legislation — it requires it. All information shared under SECURE IT must be immediately shared with the NSA and other military organizations, “thereby nullifying a company’s choice to share user or customer information with a civilian, rather than a military agency.”

Using data for other crimes

CSA: This is perhaps one of the most problematic parts of CSA. Information shared under the legislation may be used for any other criminal investigation — even those that have absolutely nothing to do with cybersecurity — as long as the information “appears to relate to a crime which has been, is being, or is about to be committed.” This, critics say, is a direct attack on the Fourth Amendment requirements for warrants and other privacy safeguards.

SECURE IT: Less extreme than CSA on this point, SECURE IT still allows the government to use information shared under the legislation for “many other crimes” unrelated to cybersecurity, especially many “for which a wiretap may be used.” Again, critics say this is detrimental to our Fourth Amendment protections.

Company liability

CSA: Companies that share information with the government under CSA are granted legal immunity (meaning they cannot be sued or charged with criminal offenses) for doing so. By giving companies this immunity, CSA eliminates their ability to offer meaningful privacy guarantees to users, or to compete with each other by offering better protections than their competitors. It also takes away users’ or customers’ ability to sue these companies for sharing their information with the Federal government.

SECURE IT: The exact same complaint exists for SECURE IT.

In short, both CSA and SECURE IT share many of the same complaints against CISPA, to a greater or lesser degree, depending on which part of the bills you’re looking at. This (above) is only a portion of the complaints made by rights advocates, so it is definitely worth reading both the full text of these bills (warning: they are very, very long), as well as the letters, if you want to have a thorough understanding of the issues at play. Also, the Electronic Frontier Foundation (EFF), one of the organizations that signed both of the letters mentioned above, goes into much greater detail about the problems with these bills here.

Do we really need cybersecurity legislation?

According to those in Congress, the answer is a resounding “YES! For the love of all that is good in this world, YES!”

Or, as Sen. Lieberman explains: “This bill would begin to arm us for battle in a war against the cyber mayhem that is being waged against us by our nation’s enemies, organized criminal gangs, and terrorists who would use the Internet against us as surely as they turned airliners into guided missiles. The nation responded after 9/11 to improve its security. Now we must respond to this challenge so that a cyber 9/11 attack on America never happens.”

This “cyber 9/11” line is one that has been used by nearly all those pushing cybersecurity legislation — CSA, SECURE IT and CISPA alike. No surprise there, since the scare tactic seems to be working. Wired points out a new study by Unisys (pdf), which shows that more Americans now view cyberattacks as a greater threat to the country than terrorism — a rather amazing thing, considering the years of terrorism fear-mongering that those of us in the U.S. have gone through since the final months of 2001.

That said, even organizations like the Center for Democracy and Technology (CDT) — a key player in the fight against CISPA — say that greater safeguards against cyberattacks are needed. It is impossible to say at the moment, however, whether the threats are genuinely as serious as the politicians make them out to be, or whether legislation like CSA or SECURE IT is needed to protect against those threats.

What happens next?

Neither CSA nor SECURE IT have yet been placed on the Senate’s agenda, though it is widely believed that CSA will come up for consideration on the Senate floor sometime this week. SECURE IT, which does not have the support of Majority Leader Harry Reid, will likely go up for a vote sometime later in the month. (There is no timeframe yet for the House version of SECURE IT going up for a full vote.)

If either CSA or SECURE IT pass, the legislation will then likely be reconciled with CISPA (if CISPA is brought forth at all) before it can go to President Obama’s desk for his signature (or veto, as the case may be). However, the Republican-controlled House has indicated repeatedly that it will not pass a bill that imposes great government regulation, which would likely cause problems for CSA. In the end, it may be Obama’s veto pen — or lack thereof — that decides the future of our online privacy.

Have questions about CSA, SECURE IT, or CISPA? Hit me up on Twitter: @andrewcouts. I’ll do my best to find quality answers for you right away.