The Cyber Intelligence Sharing and Protection Act of 2011 (CISPA) was introduced by Rep. Mike Rogers and approved by the House Intelligence Committee in December 2011. The House is expected to vote on the bill on Friday, April 27. However, the L.A. Times reports that even if the bill does pass, the White House is threatening a veto. Created in an attempt to facilitate the sharing of information deemed relevant to cybersecurity threats, there is concern surrounding the amount of information CISPA would allow private businesses to share with the government. The bill seeks “To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities.” CISPA allows the federal government to share cyber threat intelligence with authorized cybersecurity providers and private companies. Cybersecurity providers, if authorized by the company for which they provide security, can share cyber threat information with other providers, private companies, and the federal government. Private companies are able to share cyber threat information with each other and with the federal government.
With regard to private sector action, CISPA provides that, “Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes (i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and (ii) share such cyber threat information with any other entity, including the Federal Government.” Turning to the “Definitions” section of the bill, it provides that a “Self-Protected Entity” is “any entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.” As for a “Cybersecurity System”, that term is defined as “a system designed or employed to ensure the integrity, confidentiality, or availability of, or safeguard, a system or network, including protecting a system or network from (A) efforts to degrade, disrupt, or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.” While this definition clarifies what CISPA is seeking to protect against, it is still unclear what activities are exactly authorized under the ability to “use cybersecurity systems.” Putting this together, CISPA appears to authorize any private-sector company that takes any steps to protect its “cybersecurity” to use ill-defined means to collect and share information that it deems related to cybersecurity threats.
This broad language has raised serious concerns with the Electronic Frontier Foundation (EFF), which suggests that CISPA could allows companies to go as far as “monitoring email, filtering content, or even blocking access to sites.” The EFF is also concerned about the “intellectual property” language in the bill, which suggests that ISPs may be authorized to monitor e-mails and other communications for evidence of copyright infringement in the name of cybersecurity. Similarly, the EFF is troubled by the “theft or misappropriation of private or government information” language, which they believe could be used to monitor and block WikiLeaks and other news outlets such as the New York Time’s website which publish classified information.
On April 10 Rep. Rogers and Rep. Dutch Ruppersberger, the bill’s co-sponsor, along with various staffers, held a conference call with members of the media to address concerns about CISPA. The representatives and their staffers attempted to emphasize the voluntary nature of the bill, which doesn’t require companies to provide any information. They also noted that private companies are encouraged to render anonymous any information that they do choose to share. The two Congressmen further discussed two proposed amendments. The first is intended to limit the ways information can be used by the government by stating that the government may not affirmatively search information provided for a purpose other than a cybersecurity purpose or the protection of the national security of the United States. The second provides for an annual review of how the government is using the information by congressional intelligence committees. Rep. Rogers emphasized that he was holding meetings and discussions with concerned groups such as the ACLU and the Center for Democracy and Technology as they sought to make the bill agreeable to all parties.
The conference call did not assuage all concerned parties. Techdirt posted an article detailing their issues with the bill entitled CISPA Is A Really Bad Bill, And Here's Why. Techdirt takes issue with the fact that while the bills sponsor’s say they don’t intend to include music or movies under the term “intellectual property,” the plain language of the bill itself is still broad enough that it could be interpreted and used to include those things. In addition, Techdirt point out that restricting the government to using the information only for “cybersecurity” purposes or protection of national security isn’t much of a limiting principle at all.
It is worth noting that many technology companies have come out in support of CISPA, including Facebook, IBM, and Microsoft. These countervailing viewpoints may, however, only serve to highlight the divide this bill creates between companies and individuals. While private companies will only provide information to the government on a strictly voluntary basis, the information they provide will often pertain to individuals. Furthermore, while CISPA allows them to make the information provided anonymous, it does not require it. Even if the bill’s sponsors are able to assuage concerns about the scope of the “intellectual property” and “private or government information” provisions, the individual privacy concerns voiced by CISPA’s opposition still seem problematic given the current language of the bill. CISPA is expected to reach the House floor for a vote the week of April 23. Updates will be forthcoming.