Not CISPA: Revised Senate cybersecurity bill praised by civil liberty advocates

CSA, CISPA will die without vote by July, says Lieberman

Concerns over cybersecurity legislation in Congress have lessened with the introduction of a revamped bill called the Cybersecurity Act of 2012, which citizen advocacy groups say better respects Web users’ privacy and civil liberties than any earlier cybersecurity bill, including the House-passed Cyber Intelligence Sharing and Protection Act (CISPA).

The Cybersecurity Act of 2012 (S.3414) is backed by a bipartisan group of five senators. President Obama has also voiced his support for the bill. The legislation was introduced by Sens. Joe Lieberman (I-CT) and Susan Collins (R-ME), both of whom drafted earlier versions, called the Cybersecurity Act.

The revised cybersecurity bill would provide protections for critical infrastructure systems, and create a new, multi-agency council, called the National Cybersecurity Council (NCC), which would assess risks and vulnerabilities related to U.S.-based computer systems. It would also open more legal avenues for the sharing of information between the Federal government and U.S. businesses.

Unlike the earlier version, the Cybersecurity Act of 2012 does not require companies that run critical infrastructure networks, like water supply, electrical grids, or air traffic control systems, meet specific government-mandated security requirements. Instead, it will establish a voluntary program for the protection of critical infrastructure, through which participating companies can provide evidence that they are meeting certain cybersecurity standards on their networks in exchange for incentives. The cybersecurity guidelines would be set by private-sector groups, but would have to be approved by the NCC.

The exclusion of government-mandated security benchmarks was one of the primary requirements made by Republicans in the Senate, who said they would not vote for a bill that included more government regulation.

“While the bill we introduced in February is stronger, this compromise will significantly strengthen the cybersecurity of the nation’s most critical infrastructure and with it our national and economic security,” Lieberman told The Hill. “We responded after the 9/11 attacks to improve our security. Now we must respond to this latest challenge before a cyber 9/11 occurs.”

More important for the average Web user are changes made for privacy and civil liberty purposes. They are:

  • Restricted sharing between government agencies: The new Lieberman-Collins bill guarantees that only civilian organizations — rather than military ones, like the National Security Agency — will have access to cyber-threat intelligence shared between businesses and the government.
  • Limits on types and use of data: The bill strictly limits which types of information may be shared, and restricts the types of investigations for which law enforcemtent may use the shared data. This is a drastic change from the earlier bill, which would have allowed the data to be used for almost any criminal investigation, including copyright infringement. The new legislation allows law enforcement to used shared data for: any investiagion related to a cybersecurity crime; situations that involve possible death or bodily harm; and any threat to minors, including sexual exploitation and physical threats.
  • Free speech protections: The new Lieberman-Collins bill now explicitly states that First Amendment-protected free speech does not constitute a “cybersecurity threat.” Violations of companies’ terms of service are also clearly exempt from “cybersecurity threat” status.

“The amendments address key civil liberties concerns that have dogged the cybersecurity debate. In terms of privacy, these changes make the Lieberman-Collins bill far superior to both the McCain bill and the House-passed CISPA,” said Leslie Harris, president and CEO of the Center for Democracy and Technology (CDT), in a statement. “Senator Franken and his colleagues, who pushed hard for these amendments, and the co-sponsors of the bill, deserve praise and gratitude for listening to the concerns of the privacy community.”

The Electronic Frontier Foundation (EFF), which often takes a more critical stance than the CDT on such matters, said the new Lieberman-Collins bill “drastically improves upon the previous bill by addressing the most glaring privacy concerns.” Despite this, the EFF continues to have reservations.

“Make no mistake – we remain unpersuaded that any of the proposed cybersecurity measures are necessary and we still have concerns about certain sections of the bill, especially the sections on monitoring and countermeasures,” wrote the EFF on its website. “But this was a big step in the direction of protecting online rights, and we wouldn’t be here without the support of Internet users contacting Congress in droves.”

The EFF highlights a portion of the bill that the group says “specifically authorizes companies to use cybersecurity as an excuse for engaging in nearly unlimited monioring of user data,” as well as the ability for Internet service providers (ISPs) to “block privacy-protective technologies like Tor.”

In a Wall Street Journal op-ed penned by President Obama — which published just hours after the introduction of the Cybersecurity Act of 2012 — the commander-in-chief urged Congress to pass “comprehensive cybersecurity legislation” that includes sharing provisions, as well as protections for critical infrastructure. Obama also warned of the consequences of not passing such legislation.

“It doesn’t take much to imagine the consequences of a successful cyber attack,” he wrote. “In a future conflict, an adversary unable to match our military supremacy on the battlefield might seek to exploit our computer vulnerabilities here at home. Taking down vital banking systems could trigger a financial crisis. The lack of clean water or functioning hospitals could spark a public health emergency. And as we’ve seen in past blackouts, the loss of electricity can bring businesses, cities and entire regions to a standstill.”

The Cybersecurity Act of 2012 has already been added to the Senate’s legislative calendar by Senate Majority Leader Harry Reid (D-NV), an indication that its supporters believe the bill has enough votes to pass.

To read the full text of the Cybersecurity Act of 2012, click here: pdf.