Last week, the United States House of Representatives passed the Cyber Intelligence Sharing and Protection Act of 2011, or CISPA for short. The United States Senate has yet to bring their version up for vote. But if CISPA does pass the Senate in its present “House” form, it will undoubtedly see President Obama’s veto pen.
There are effectively three components to the bill; (1) the sharing of cyber threat intelligence from the federal government to private industry, (2) the encouragement of private industry to share their cyber threat knowledge with the federal government, and (3) exemption from liability for private industry players who participate in the program.
The primary intent of the bill is presented with little controversy by Michigan Republican Congressman Mike Rogers, who is the Chairman of the Permanent Select Committee on Intelligence. That purpose is to share government cyber threat intelligence with recognized and approved cyber security companies and consultants.
This notion of selective intelligence sharing is another significant step in the progression of unclassified-but-sensitive partnership development that began in 2004 with the emergence of the Office of the Director of National Intelligence. In response to a recommendation from the 9/11 Commission, 16 agencies now report to the Director of National Intelligence, including the CIA, the FBI, and NSA. Controversy is congenital when it comes to the exchange of intelligence. These organizations fittingly struggle with intra-collaboration to fulfill their constitutional mandate of protecting citizens without violating those same citizens’ constitutional rights of privacy.
The general notion of the bill reads, “The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence.” Involving the eyes and ears of commercial cyber security professionals is a gutsy move that Congressman Rogers finds worth taking.
Most, but not all, of Rogers’ fellow House Republicans agreed with him. The bill passed the House last Friday with 206 Republicans and 42 Democrats voting in favor, with 28 Republicans and 140 Democrats voting against. I was hoping to see where bellwether Congressman Ron Paul stood on the matter, but he was not present to vote.
The objections from the Obama Administration, as well as advocacy groups such as the Center for Democracy and Technology, extend from their general distaste for the intelligence community’s trolling for terrorist activity, e.g., The Patriot Act. Kendall Burman, Senior National Security Fellow at the Center for Democracy and Technology, told Russian sponsored news group RT, “We very much fear that the information sharing machine that is related to cyber security could very much become a back door wiretap or a surveillance program by another name.”
The White House expresses the concern that “The bill also lacks sufficient limitations on the sharing of personally identifiable information between private entities and does not contain adequate oversight or accountability measures necessary to ensure that the data is used only for appropriate purposes. Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately.”
The Obama Administration is also very concerned that CISPA will “inappropriately shield companies from any suits where a company's actions are based on cyber threat information identified, obtained, or shared under this bill.” This is in response to the section of the bill that attempts to give comfort to willing participants of its threat sharing program, “No civil or criminal cause of action shall lie or be maintained in Federal or State court against a ... cybersecurity provider, acting in good faith for using cybersecurity systems or sharing information in accordance with this section...”
Libertarian advocacy groups worry that content providers may use the new law to shake down the online shoplifters of music, movies, and software. CISPA reminds them of the rejected SOPA bill, the Stop Online Piracy Act that would have compelled search engines and payment facilitators to block infringers of copyright, counterfeit drug, and intellectual property laws. There will always be this schizophrenic attitude from those who adore artistic creation and disrespect the artistic creators. They seem to disconnect the performer from the record label, refuting any sense of obligation to pay XL Recordings for enjoying the talented tracks from the boys of Vampire Weekend; more utopian nonsense that keeps artists poor.
I suppose that CISPA may provide a slight opening for the distributors of music, movies, and software to engage the federal government in catching those who napster their goods. Following the bill’s description of protecting against “efforts to degrade, disrupt, or destroy such system or network” are the words, “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”
Given the history of the Obama machine with its Attack Watch website that asked citizens to report “enemies” of his policies and positions, I can understand the paranoia about CISPA being another citizen-on-citizen spy task force. But I just do not see CISPA as obligating the FBI to kick in the dorm room doors of students with earbuds.
I also do not share the concern with critics of CISPA who worry that it would lead to the brownshirting of the American citizenry. In order to participate in the sharing program, the Office of the Director of National Intelligence is to certify cybersecurity providers, each defined as a “non-governmental entity that provides goods or services intended to be used for cybersecurity purposes.” Individuals are specifically excluded in the bill’s language.
Yet, specificity is always a constructive criticism with new laws. Kendall Burman expressed it well, “We have a lot of concerns with the breadth of the bill. If it was very narrowly tailored to information that is very much related to cyber threat information there would be comfort level with that. But the way that it is written, it applies to so much of your information communication and to have that risk go straight to the National Security Agency, we think creates a real civil liberties problem.”
The federal government has coordinated “computer emergency readiness team” (CERT) programs for decades. I professionally support the addition of a coordination mechanism between the intelligence community and private industry to augment preemptive and rapid responses to hacking threats. But frankly, I do not see the necessity of adding a law to share cyber threat intelligence. The Office of the Director of National Intelligence may need new appropriations from Congress for the program. But they could start the sharing today, without the concern for unintended consequences introduced by a new law. I would advise that the Senate appropriate funds for this program (How about a budget, Senator Reid?) and remove the extraneous language that makes citizens unnecessarily nervous.
The full text of the 11-page CISPA bill can be read here: