Though the Cyber Intelligence Sharing and Protection Act (CISPA) managed to be defeated in Congress last year, it has been reintroduced and scheduled for a vote in the House of Representatives this week. The authors of the bill, Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), introduced a revised version of the bill in February despite opposition from privacy advocates.
The primary purpose of CISPA is to encourage intelligence sharing so as to address potential cyber threats, but CISPA does little to detail what information on cyber threats may be shared. As a result, anything from e-mails to medical records could be shared with intelligence agencies. Harvey Anderson of Mozilla, an opponent to the bill, says CISPA “creates a black hole” through which the government can access any kind of data it wants.
In its current form, CISPA allows Internet and other companies to be exempt of all liability if they open their databases with confidential customer information to the feds and other private-sector firms.
Last year, despite threats of a presidential veto and heavy opposition in the House led by former Rep. Ron Paul (R-Texas) and Rep. Jared Polis, (D-Colo.), CISPA managed to pass in the House of Representatives by a vote of 248 to 168, but did not receive a vote in the Senate as a result of a struggle over a Democratic-backed bill that had privacy problems of its own.
The bill was reintroduced this year as a result of a reported increase of cyber-attacks by Iran and China that has compelled President Obama to call for legislation to stop the attacks.
“Congress must act,” Obama said during his 2013 State of the Union address, “…by passing legislation to give our government a greater capacity to secure our networks and deter attacks.”
Last month, President Obama signed a cybersecurity executive order that expands “real time sharing of cyberthreat information” to companies that operate critical infrastructure and proposes a “review of existing cybersecurity regulation.”
The authors of the bill claim CISPA will “provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities,” by carefully monitoring threats to the cyber infrastructure and permitting the exchange of personal information between government agencies.
The House Intelligence Committee approved the updated draft of CISPA by a vote of 18 to two, and is now scheduled for a vote in the full House.
Representative Jan Schakowsky (D-Ill.) voted against CISPA because her colleagues did not approve any of the three amendments that she attempted to add to the bill.
One of her amendments would have excluded the Pentagon and the National Security Administration from the list of government entities permitted to access third-party data.
Another one of her amendments would have created a privacy post to oversee “the retention, use and disclosure of communications, records, system traffic or other information” obtained by federal officials.
"My amendments would have strengthened privacy protections, ensured that consumers can hold companies accountable for misuse of their private information, required that companies report cyber threat information directly to civilian agencies and maintained the long standing tradition that the military doesn't operate on US soil against American citizens," she told reporters after the vote.
"I strongly agree with the need to enact effective cybersecurity legislation, and commend the bipartisan effort of the House Intelligence Committee, but this bill doesn't sufficiently protect individual privacy rights.”
The other dissenting vote came from Rep. Adam Schiff (D-Calif.), who articulated similar sentiments about CISPA’s violation of personal privacy of Internet users.
"It is not too much to ask that companies make sure they aren't sending private information about their customers, their clients, and their employees to intelligence agencies, along with genuine cyber security information," Schiff said.
"While I support increased information sharing, without requirements that companies make sure they aren't sharing Personally Identifiable Information, as well as making the Department of Homeland Security the initial point of receipt, I cannot support the bill in its current form."
CISPA is being heavily opposed by groups like the Electronic Frontier Foundation, the American Civil Liberties Union, and a number of other privacy rights groups. Likewise, groups that had originally supported the bill have since changed their opinions, including Facebook and Microsoft.
Prior to his suicide in January, Reddit co-founder Aaron Swartz said that CISPA is “incredibly broad and dangerous” as it gives the federal government the unprecedented power to access our online activity.
“It also goes much further and allows them to spy on people using the Internet, to get their personal data and emails,” Swartz said.
Internet companies like Mozilla have also come out against the bill, with over 70 cybersecurity experts and academics joining the opposition. They submitted a letter criticizing CISPA last year which read,
We have devoted our careers to building security technologies, and to protecting networks, computers, and critical infrastructure against attacks of many stripes. We take security very seriously, but we fervently believe that strong computer and network security does not require Internet users to sacrifice their privacy and civil liberties.
And earlier this week, over 30 civil liberties groups sent a letter of opposition against CISPA to Congress:
CISPA creates an exception to all privacy laws to permit companies to share our information with each other and with the government in the name of cybersecurity…. CISPA’s information sharing regime allows the transfer of vast amounts of data, including sensitive information like Internet records or the content of emails to any agency in the government including military and intelligence agencies like the National Security Agency or the Department of Defense Cyber Command.
Likewise, despite Obama’s plea for Congress to pass legislation to secure our nation’s networks, the White House has once again issued a veto threat if the bill passes in its current form.
A statement issued by the Obama administration on Tuesday indicates, “If the bill, as currently crafted, were presented to the President, his senior advisors would recommend that he veto the bill.”
“The Administration … remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities,” the White House’s statement reads.
“Citizens have a right to know that corporations will be held accountable — and not granted immunity — for failing to safeguard personal information adequately.”
But regardless of the organized opposition, Rep. Mike Rogers trivialized the opposition and classified those who oppose CISPA as nothing more than “14-year- olds” tweeting in their basement during the committee hearing on the bill.