Next week the U.S. House of Representatives will vote on the Cyber Intelligence Sharing and Protection Act (CISPA). The bill is intended to allow companies and the government to share information in the event of a cyber threat. What’s fundamentally different with CISPA compared to SOPA (House of Representatives) and PIPA (Senate) is that CISPA protects companies from cyber threats (SOPA and PIPA attempted to protect against copyright infringement).
The bill’s intent is fine. China is stealing private user data and core intellectual property at an alarming rate. The nation-state threat is real, and active measures need to take place in order to protect American companies moving forward. A position paper on the legislation from House Intelligence Chairman Mike Rogers (R-Mich.), who proposed the bill back in November 2011, with ranking member Dutch Ruppersberger (D-Md.) states:
“China is the world’s most active and persistent perpetrator of economic espionage. U.S. companies have reported an onslaught of Chinese cyber intrusions that steal sensitive information like client lists, merger and acquisition data, pricing information, and the results of research and development efforts. This information is used to give Chinese companies an unfair competitive advantage against the American companies from which it was stolen.”
So how do we protect against these types of attacks while still not infringing on the privacy of the typical user? The legislation is very broad, leaving a lot of wiggle room for the government to acquire information outside of the bill’s initial intent. Unlike the USA PATRIOT Act, which allows roving domestic wiretaps, CISPA would grant the government unprecedented access to web company user data and trump already passed (and extended) legislation like the USA PATRIOT Act.
By putting companies in control, the bill claims to protect each user’s privacy by not mandating private or public web companies to fork over their user data. This would leave companies like Facebook to choose what to do with the information it knows about you as opposed to the government – a little better, but still disconcerting. Facebook, Microsoft, Oracle, Symantec, Verizon and reportedly Google have come out in support of the legislation – a stark contrast to the public and company protests regarding SOPA and PIPA.
But many of these brands do not have a great track record of protecting user privacy to begin with. So the fact that they embrace support for this bill is a far cry from an authoritative endorsement of user privacy protection. The bill may be an “opt-in” legislative measure, but who is to say that both parties (the government and corresponding companies) can’t both mutually benefit from the sharing of private information? This may now give companies the ability to barter private information with the government in exchange for corporate influence.
With this said, will this legislation even help? Jim Harper, director of information policy studies at the Cato Institute in Washington, D.C., says “congress has no particular capacity or knowledge of how to do cyber security.” The Obama administration did express concerns about the legislation as well – stopping short of a veto threat – stating:
“While information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens. Legislation without new authorities to address our nation’s critical infrastructure vulnerabilities, or legislation that would sacrifice the privacy of our citizens in the name of security, will not meet our nation’s urgent needs.”
Congress has proved to be dated with its approaches to Internet security, and this legislation will only assist the government via investigative purposes – unless companies agree to actively share information. Because the bill does not mandate participation by companies, it may end up being ineffective and useless anyways. Most companies get breached because they lack the security knowledge or concern to be proactive about it in the first place. To truly fix the problem, it might just require the wisdom of the organization to manage the risk and protect against it. Because whether the bill is passed or not, the threat is persistent and rapidly changing with a legislative body that adapts to changes in their environment slower than the Theory of Evolution.