CISPA: Cyber security or a threat to privacy?


A group of activists protesting in front of the US Capitol. Courtesy of flickr.com/asterix611.

Over the past two years, Congress has made many attempts to, in their view, strengthen the powers of the federal government against potential abuses on the Internet, ranging from piracy to cyber terror. Earlier this year, two bills—SOPA and PIPA—regarding piracy stalled in Congress. The latest bill, the Cyber Intelligence Sharing and Protection Act (CISPA), attempts to address issues of cyber security. The Weekly Focus examines in detail what CISPA says, concerns with the law, and the implications if it passes.

CISPA is a bill that would modify the National Security Act of 1947 to create a means of sharing cyber security information between private companies and the US intelligence community. The goal is to provide information to the government that can be used to protect private industry from the threats of digital espionage and attack. This has been a burgeoning area of interest for the national security set over the past decade. Since the rise of the Internet, there have been an unending number of worms and viruses spread across millions of computers, affecting information on every continent. Starting in the early 2000s however, criminals and other groups began to target specific companies and individuals to steal information and damage critical hardware. Credit card companies and their repositories of personal financial information were an early and common target. The last five years has witnessed a constant drumbeat of security breaches concerning everything from Social Security numbers to sensitive proprietary information from companies like Google and Lockheed Martin.

Digital espionage represents just half of the puzzle. Computers come in many varieties other than those that live on our desks or in our pockets. Industrial machinery, electrical power grids, and even a few nuclear enrichment facilities, are run by computers and networks connected to the Internet. While unable to run iTunes or a spreadsheet, these machines control the infrastructure on which critical industries depend. A virus introduced into these computing devices could have catastrophic consequences. Thus, the US government is particularly interested in defending both its own military and civilian networks as well as those of private companies and public infrastructure.

The problem up to this point in mounting an effective defense against these threats has been the lack of a clear legal framework defining who is responsible for what. The National Security Act of 1947 is the framework for the modern US security community. The Act created the Department of Defense, established the Joint Chiefs of Staff and the National Security Council, and gave birth to the Central Intelligence Agency. Modifying this fundamental framework is a momentous legal shift and is justified as necessary to combat cyber threats through better government access to information. The move is controversial however, as it comes with vague definitions and potential for the abuse of power by national security agencies, which would be granted unprecedented access to information held by private companies. The bill has three main components – a definition for “cyberthreat intelligence”, a set of rules for what intelligence agencies can do with the information provided, and a legal framework and liability shield for companies which choose to share this information.

The bill's main focus is “cyberthreat intelligence,” which it defines as information, “directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from: (1) efforts to degrade, disrupt, or destroy such system or network; or (2) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.” Following this is a set of guidelines, intended for the intelligence community, which outline what agencies must do in order to use information submitted by private companies.

The last major piece of the bill is a legal framework to share information between intelligence agencies and private companies. Those companies included are any “non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.” The law allows these companies, with the permission of those to whom they provide services, through signing a terms of use agreement, to provide “cyberthreat intelligence” to the federal government. This information is not required to be released to the public at any point and the companies in question are protected from both civil and criminal action so long as they act “in good faith” with the terms of the law.

Although CISPA has passed the House, its future is all but certain, especially after President Obama signaled his intent to veto the bill if it clears the Senate. If he were to fail to do so, CISPA in its current form will have profoundly change the privacy of information on the Internet by allowing the government to obtain information that currently requires a warrant warrant. The bill also includes language that establishes a worrying relationship with preceding laws. Before passing the House, a section was added to CISPA that stated that "notwithstanding any other provision of law," companies like Facebook and Google may share information "with any other entity, including the federal government." If protection against unreasonable search and seizure is thrown out, all previous legislation protecting these rights will be muted. This disturbing line means that CISPA trumps every other law on the books, including wiretap restrictions, companies’ online privacy policies and terms of service, in addition to any other regulation that could potentially bar federal agents from collecting user information.

The security of users data would now be entrusted to the services they use on the internet. Since companies would be shielded from prosecution regarding data shared for cyber security purposes under CISPA, privacy advocates worry that it would create an environment similar to the one that led to illegal NSA wiretapping during the Bush administration. Private companies would share data from clients with intelligence agencies without oversight, which could result in innocent individuals having their information collected by the government without them ever knowing. Another controversy, raised by the Obama administration itself, is that CISPA would put internet security into the hands of intelligence agencies and remove it from the civilian sphere. The Obama administration maintains that the civilian Department of Homeland security should have a role in Internet security. If CISPA does overcome these criticisms and make it into law, then users should be aware that their data may be much less private.

Links
Veto Threat
CISPA Basic Facts
ProPublica on CISPA