When last we checked in with the Cyber Intelligence Sharing and Protection Act (CISPA), the bill was headed to the House floor for a vote at the end of April. To recap, the general purpose of CISPA is to create procedures that would “allow elements of the intelligence community to share cyber threat intelligence with private sector entities and utilities and to encourage the sharing of such intelligence.” Essentially it seeks to create procedures that allow Internet user information to be shared between the government and certain companies with the goal of protecting against cyber attacks. On April 26th CISPA passed by a vote of 248 to 168 in the House of Representatives.
In the Senate, the Cybersecurity Act of 2012, sponsored by Joseph Lieberman, looked to move forward over the summer. The bill received the support of President Obama in a Wall Street Journal op-ed. The President brought up the damage that could result form a cyber attack on systems that control U.S. transportation or utilities, and stated, “We all know what needs to happen. We need to make it easier for the government to share threat information so critical-infrastructure companies are better prepared. We need to make it easier for these companies—with reasonable liability protection—to share data and information with government when they're attacked.” In attempt to allay some of the concerns that had been brought up in opposition, to CISPA, the President wrote, “[O]ur approach protects the privacy and civil liberties of the American people. Indeed, I will veto any bill that lacks strong privacy and civil-liberties protections.”
The Cybersecurity Act of 2012 contained some of the same protections as the amended CISPA bill that passed in the House, including limiting information sharing to cases of cybersecurity crime investigation or danger of imminent death or bodily harm, and ensuring that the data can’t be used to prosecute unrelated crimes (such as copyright infringement or drug usage). Despite these efforts to address privacy concerns and despite the President’s assurances, not everyone was convinced that the bill contained all the necessary civil-liberties protections. A PC World article noted concerns from the Electronic Frontier Foundation (who also opposed CISPA): “"Currently, the bill specifically authorizes companies to use cybersecurity as an excuse for engaging in nearly unlimited monitoring of user data or countermeasures (like blocking or dropping packets)." These concerns proved to be too great for some members of the Senate, and on August 2, 2012 the bill’s sponsors were unable to get the 60 votes necessary to end debate on the bill.
It would appear the White House hasn’t abandoned the push to create new standards that it believes would help prevent a cyber attack on infrastructure systems, as in early September rumors of a possible executive order began to circulate. The order is said to “establish a voluntary program where companies operating critical infrastructure would elect to meet cybersecurity best practices and standards crafted, in part, by the government.” This week, Joseph Lieberman, one of the Cybersecurity Act of 2012’s sponsors, said he believes President Obama could sign such an order within the next month.
Regardless of any executive order, it seems a foregone conclusion that Congress will attempt to continue to legislate in the area of Internet regulation. The past year has seen the Stop Online Piracy Act (SOPA), the Protect IP Act (PIPA), CISPA, and the Cybersecurity Act of 2012. Of the four, only CISPA managed to pass in its respective legislative chamber. We’ll be on the lookout for a possible executive order, the revival of any of these bills, or any new bills that may be introduced in their place.