Previously defeated cyber-surveillance bill is back before Congress
The Cyber Intelligence Sharing and Protection Act – or CISPA – is back. The controversial bill, which would allow companies to share individuals’ personal information and Internet traffic with the U.S. government in the name of national security, was re-introduced by Maryland Democratic Rep. Dutch Ruppersberger on Friday. For more on CISPA and the future of cyber security legislation in the new Congress, FSRN’s Ashley Westerman spoke with Julian Sanchez, a Senior Fellow at the Cato Institute in Washington, D.C.
Ashley Westerman: In a nutshell, can you tell me what the Cyber Intelligence Sharing and Protection Act seeks to do and why are we hearing about it again after it stalled in the last Congress?
Julian Sanchez: Sure. So there are a variety of components, but the overarching goal here is to ease information sharing between the government and the private sector. This creates a sort of vague exception for cyber security threat indicators, which are no very clearly defined and appears to include the contents of communication if they’re deemed relevant to understanding some kind of cyber security threat. And so this was seen, I think quite rightly, as a way of providing yet more Internet information to intelligence agencies like NSA as something that was questionable in its potential to materially improve cyber security.
And in the wake of the very high-profile Sony hack, we’ve both seen CISPA revived in Congress and President Obama advancing his own proposal for legislation to facilitate information-sharing. It’s not actually clear exactly what the difference is between what he’s proposing and the CISPA he threatened to veto are, though I think, really, the question is, given how often it’s the companies themselves that are reluctant to share information about vulnerabilities in their systems, whether this is actually the place where focusing effort and energy is most likely to make a difference?
Ashley Westerman: Civil liberties groups and privacy advocates had criticized the initial proposed Cyber Intelligence Sharing and Protection Act for a number of reasons including that it doesn’t really limit how and when the government can access our personal online information and browsing habits. Should they have the same concerns with this new version of the bill?
Julian Sanchez: They should, I mean, I think there is some pro forma language about trying to minimize the unnecessary sharing of personal identities or personal identifying information that’s not necessary to describe the threat. But in the context of very broad immunities from liability for information sharing, the real problem here is that the upfront definitions are so vague, the incentive is going to be in any event to overshare if you’re not ultimately accountable for that.
Ashley Westerman: Proponents of the CISPA say it will prevent another online attack by foreign hackers. Will it?
Julian Sanchez: You know, it seems unlikely. I think with cyber security, the government is a lot like the drunk in the old joke. You know, ‘I lost my keys in the dark. I’m looking for them under the street light. Not because that’s where I lost the keys but because the light is better there.’
The real difficult problem of hardening domestic networks against foreign and domestic cyber attacks has to do with things like training employees not to click on shady phishing emails, keeping software updated, making sure that really critical systems are air-gapped. They’re all things that, essentially, that the companies that maintain these networks really have to do for themselves.
The government can’t realistically get into micromanaging whether companies have all secured their networks properly. The thing they can do is try and facility information sharing but, you know, there’s already quite a lot of information sharing going on and, of course, there’s already also substantial sharing with the government. It’s certainly not at all clear that something like this would have enabled something like the Sony hack to be stopped.
Ashley Westerman: When it was introduced two years ago, President Obama said he would veto CISPA. But following the Sony hack, Obama has called for stronger cybersecurity laws that would allow for more information sharing across private and public sector platforms. What do you think the chances are of CISPA surviving this Congress and making it to the President’s desk?
Julian Sanchez: Well, some version of additional cyber security legislation seems likely to move forward. Probably some variant now of this is going to go forward, the question is whether it’s something like CISPA or something similar but with a few additional privacy safeguards that the President can back and say, ‘Well, no, no, no, what I’m supporting is my new information sharing legislation. Not CISPA, which I threatened to veto.’ That’s a way, of course, for the President to promote moving forward with new information sharing legislation without seeming to contradict his old position that CISPA was unacceptable.
Ashley Westerman: Finally, is there any sort of middle ground that can be reached when it comes to maintaining our cybersecurity while, at the same time, not stepping all over individual liberties?
Julian Sanchez: Sure. Look, to the extent that companies have uncertainty – you know, lawyers are skittish about whether the existing safe harbor provisions in data privacy laws permit them to share information about attacks on their own systems or to share things like malware signatures – you can do targeted amendments to those laws clarifying what the exemption covers that doesn’t, you know, sort of, blow open a hole and say, ‘Notwithstanding any other law, anything that you can call a cyber-security indicator, whatever that means, is fair game to share with the government.’ They could also help by hoarding vulnerabilities less aggressively. NSA is both an intelligence agency and a security agency, an information insurance agency, meaning they’ve got these conflicting missions. On the one hand, they want to let people know about vulnerability to make American networks more secure.
On the other hand, they want to stockpile vulnerabilities so they can use them to hack into networks. One way they can help is by saying, ‘It’s more important for the world to know about insecure software so they can patch it and be secure than it is for us to make sure we can always spy on every single network we might ever have an interest of getting into.’