Passage of CISPA in the U.S. House highlights need for viable cybersecurity legislation

Cybersecurity bills must balance protection with online privacy and civil liberties.

To paraphrase Ben Franklin, he who sacrifices online freedom for the sake of cybersecurity deserves neither. Last night, the Cyber Intelligence Sharing and Protection Act (CISPA) (H.R. 3523) through the United States House of Representatives was sent to a vote a day earlier than scheduled. CISPA passed the House by a vote of 250-180, defying a threatened veto from the White House. The passage of CISPA now sets up a fierce debate in the Senate, where Senate Majority Leader Harry Reid (D-NV) has indicated that he wishes to bring cybersecurity legislation forward for a vote in May.

The votes on H.R. 3523 broke down along largely partisan lines, although dozens of both Democrats and Republicans voted for or against CISPA it in the finally tally. CISPA was introduced last November and approved by the House Intelligence Committee by a 17-1 vote before the end of 2011, which meant that the public has had months to view and comment upon the bill. The bill has 112 cosponsors and received no significant opposition from major U.S. corporations, including the social networking giants and telecommunications companies who would be subject to its contents.

In fact, as an analysis of campaign donations by Maplight showed, over the past two years interest groups that support CISPA have outspent those that oppose it by 12 to 1, ranging from defense contractors, cable and satellite TV providers, software makers, cellular companies and online computer services.

While the version of CISPA that passed shifted before the final vote, ProPublica’s explainer on CISPA remains a useful resource for people who wish to understand its contents. Declan McCullagh, CNET’s tech policy reporter, has also been following the bill closely since it was introduced and he has published an excellent FAQ explaining how CISPA would affect you.

As TechDirt observed last night, the final version of CISPA — available as a PDF from docs.house.gov contained more scope on the information types collected in the name of security. Specifically, CISPA now would allow the federal government to use information for the purpose of investigation and prosecution of cybersecurity crimes, protection of individuals, and the protection of children. In this context, a “cybersecurity crime” would be defined as any crime that involves network disruption or “hacking.”

Civil libertarians, from the Electronic Frontier Foundation (EFF) to the American Civil Liberties Union, have been fiercely resisting CISPA for months. “CISPA goes too far for little reason,” said Michelle Richardson, the ACLU legislative counsel, in a statement on Thursday. “Cybersecurity does not have to mean abdication of Americans’ online privacy. As we’ve seen repeatedly, once the government gets expansive national security authorities, there’s no going back. We encourage the Senate to let this horrible bill fade into obscurity.”

Today, there is widespread alarm online over the passage of CISPA, from David Gewirtz calling it heinous at ZDNet to Alexander Furnas exploring its troubling aspects to it being called a direct threat to Internet privacy over at WebProNews.

The Center for Democracy and Technology issued a statement that it was:

“… disappointed that House leadership chose to block amendments on two core issues we had long identified — the flow of information from the private sector directly to NSA and the use of that information for national security purposes unrelated to cybersecurity. Reps. Thompson, Schakowsky, and Lofgren wrote amendments to address those issues, but the leadership did not allow votes on those amendments. Such momentous issues deserved a vote of the full House. We intend to press these issues when the Senate takes up its cybersecurity legislation.”

Alexander Furnas included a warning in his nuanced exploration of the bill at The Atlantic:

“CISPA supporters — a list that surprisingly includes SOPA opponent Congressman Darrell Issa — are quick to point out that the bill does not obligate disclosure of any kind. Participation is ‘totally voluntary.’ They are right, of course, there is no obligation for a private company to participate in CISPA information sharing. However, this misses the point. The cost of this information sharing — in terms of privacy lost and civil liberties violated — is borne by individual customers and Internet users. For them, nothing about CISPA is voluntary and for them there is no recourse. CISPA leaves the protection of peoples’ privacy in the hands of companies who don’t have a strong incentive to care. Sure, transparency might lead to market pressure on these companies to act in good conscience; but CISPA ensures that no such transparency exists. Without correctly aligned incentives, where control over the data being gathered and shared (or at least knowledge of that sharing) is subject to public accountability and respectful of individual right to privacy, CISPA will inevitably lead to an eco-system that tends towards disclosure and abuse.”

The context that already exists around digital technology, civil rights and national security must also be acknowledged for the purposes of public debate. As the EFF’s Trevor Timm emphasized earlier this week, once national security is invoked, both civilian and law enforcement wield enormous powers to track and log information about citizens’ lives without their knowledge nor practical ability to gain access to the records involved.

On that count, CISPA provoked significant concerns from the open government community, with the Sunlight Foundation’s John Wonderlich calling the bill terrible for transparency because it proposes to limit public oversight of the work of information collection and sharing within the federal government.

“The FOIA is, in many ways, the fundamental safeguard for public oversight of government’s activities,” wrote Wonderlich. “CISPA dismisses it entirely, for the core activities of the newly proposed powers under the bill. If this level of disregard for public accountability exists throughout the other provisions, then CISPA is a mess. Even if it isn’t, creating a whole new FOIA exemption for information that is poorly defined and doesn’t even exist yet is irresponsible, and should be opposed.”

What’s the way forward?

The good news, for those concerned about what passage of the bill will mean for the Internet and online privacy, is that now the legislative process turns to the Senate. The open government community’s triumphalism around the passage of the DATA Act and the gathering gloom and doom around CISPA all meet the same reality in this respect: checks and balances in the other chamber of Congress and a threatened veto from the White House.

Well done, founding fathers.

On the latter count, the White House has made it clear that the administration views CISPA as a huge overreach on privacy, driving a truck through existing privacy protections. The Obama administration has stated (PDF) that CISPA:

“… effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres. The Administration believes that a civilian agency — the Department of Homeland Security — must have a central role in domestic cybersecurity, including for conducting and overseeing the exchange of cybersecurity information with the private sector and with sector-specific Federal agencies.”

At a news conference yesterday in Washington, the Republican leadership of the House characterized the administration’s position differently. “The White House believes the government ought to control the Internet, government ought to set standards, and government ought to take care of everything that’s needed for cybersecurity,” said Speaker of the House John Boehner (R-Ohio), who voted for CISPA. “They’re in a camp all by themselves.”

Representative Mike Rogers (R-Michigan) — the primary sponsor of the bill, along with Representative Dutch Ruppersberger (D-Maryland) — accused opponents of “obfuscation” on the House floor yesterday.

While there are people who are not comfortable with the Department of Homeland Security (DHS) holding the keys to the nation’s “cyberdefense” — particularly given the expertise and capabilities that rest in the military and intelligence communities — the prospect of military surveillance of citizens within the domestic United States is not likely to be one that the founding fathers would support, particularly without significant oversight from the Congress.

CISPA does not, however, formally grant either the National Security Agency or DHS any more powers than they already hold under existing legislation, such as the Patriot Act. It would, however, enable more information sharing between private companies and government agencies, including threat information pertinent to legitimate national security concerns.

It’s crucial to recognize that cybersecurity legislation has been percolating in the Senate for years now without passage. That issue of civilian oversight is a key issue in the Senate wrangling, where major bills have been circulating for years now without passage, from proposals from Senator Lieberman’s office on cybersecurity to the ICE Act from Senator Carper to Senator McCain’s proposals.

If the fight over CISPA is “just beginning”, as Andy Greenberg wrote in Forbes today, it’s important for everyone that’s getting involved because of concerns over civil liberties or privacy recognizes that CISPA is not like SOPA, as Brian Fung wrote in the American Prospect, particularly after provisions regarding intellectual property were dropped:

“At some point, privacy groups will have to come to an agreement with Congress over Internet legislation or risk being tarred as obstructionists. That, combined with the fact that most ordinary Americans lack the means to distinguish among the vagaries of different bills, suggests that Congress is likely to win out over the objections of EFF and the ACLU sooner rather than later. Thinking of CISPA as just another SOPA not only prolongs the inevitable — it’s a poor analogy that obscures more than it reveals.”

That doesn’t mean that those objections aren’t important or necessary. It does mean, however, that anyone who wishes to join the debate must recognize that genuine security threats do exist, even though massive hype about a potential “Cyber 9/11” perpetuated by contractors that stand to benefit from spending continues to pervade the media. There are legitimate concerns regarding the theft of industrial secrets, “crimesourcing” by organized crime and the reality of digital agents from the Chinese, Iranian and Russian governments — along with non-state actors — exploring the IT infrastructure of the United States.

The simple reality is that in Washington, national security trumps everything. It’s not like intellectual property or energy or education or healthcare. What anyone who wishes to get involved in this debate will need to do is to support an affirmative vision for what roles the federal government and the private sector should play in securing the nation’s critical infrastructure against electronic attacks. And the relationship of business and government complicates cybersecurity quite a bit, as “Inside Cyber Warfare” author Jeffrey Carr explained here at Radar in February:

“Due to the dependence of the U.S. government upon private contractors, the insecurity of one impacts the security of the other. The fact is that there are an unlimited number of ways that an attacker can compromise a person, organization or government agency due to the interdependencies and connectedness that exist between both.”

The good news today is that increased awareness of the issue will drive more public debate about what’s to be done. During the week the Web changed Washington in January, the world saw how the Internet can act as a platform for collective action against a bill.

Civil liberties groups have vowed to continue advocating against the passage of any vaguely drafted bill in the Senate.

On Monday, more than 60 distinguished IT security professionals, academics and engineers published an open letter to Congress urging opposition to any “‘cybersecurity’ initiative that does not explicitly include appropriate methods to ensure the protection of users’ civil liberties.”

The open question now, as with intellectual property, is whether major broadcast and print media outlets in the United States will take their role of educating citizens seriously enough for the nation to meaningfully participate in legislative action.

This is a debate that will balance the freedoms that the nation has fought hard to achieve and defend throughout its history against the dangers we collectively face in a century when digital technologies have become interwoven into the everyday lives of citizens. We live in a networked age, with new attendant risks and rewards.

Citizens should hold their legislators accountable for supporting bills that balance civil liberties, public oversight and privacy protections with improvements to how the public and private sector monitors, mitigates and shares information about network security threats in the 21st century.

tags: , , ,