The Cyber Intelligence Sharing and Protection Act, aimed at promoting better sharing of information about cyberattacks in the private sector and between the private sector and the government, is a good idea—if done right. But the bill as introduced in the House of Representatives was too broadly written, allowing ISPs and other service providers to disclose too much information to the government, particularly to the super-secret National Security Agency, where it could be used for purposes unrelated to cybersecurity. The Center for Democracy and Technology and other civil-liberties groups and online activists worked to alert the public about the threats posed by the bill, and on Thursday the House passed a version that, while still fundamentally flawed, contained meaningful privacy improvements.
But as the fight moves to the Senate, it is important to put the events of last week in perspective and correct several ill-informed memes. Remember SOPA and PIPA, the online piracy bills that were withdrawn in the face of massive public outcry, including blackouts of Wikipedia and other websites? The first misleading meme about CISPA, promoted by some on the cybersecurity sidelines, was that the bill was just SOPA 2.0 and that it could have been dismissed outright.
Nothing could be further from the truth. There was never a chance that this bill could have been stopped in the House. It had more than 100 cosponsors from both parties, and it was supported by many of the Internet companies, technologists, and security experts that had sharply criticized SOPA.
What is more, the Obama administration and both houses of Congress want cybersecurity legislation that includes enhanced cybersecurity information sharing. And while CDT is not ready to endorse the “cyber-9/11” hysteria driving some of this debate, we do believe that in order for the Internet to be open, innovative, and free, it must also be secure. We believe that the security risks online today are unacceptable and put Internet users’ personal information and privacy at risk. Long before CISPA, CDT had proposed narrow changes to current law to improve the sharing of cyberthreat information.
However, we laid out three bottom-line issues that need to be addressed to ensure that any information-sharing legislation also protects privacy and other civil liberties:
(1) What could be shared: the definition of cyberthreat information has to be narrowly focused, especially on sharing data about private Internet traffic with the government.
(2) Whom it can be shared with: the NSA, a military agency, should not have direct access to information flowing over civilian networks.
(3) What it can be used for: information shared for cybersecurity should be used only for cybersecurity, not for unrelated law-enforcement or intelligence purposes.
When CISPA was introduced, it fell woefully short on all three tests. Its definitions were so broad as to allow the sharing of entire streams of communications, it allowed the information to flow directly to the NSA, and it allowed the government to use the information for criminal and national-security purposes that had nothing to do with cybersecurity. My organization immediately sounded the alarm. Others began to pay attention. A coalition of civil-liberties advocates and grassroots groups across the political spectrum began to build opposition to the bill.
At first, the situation looked hopeless. Momentum behind CISPA was formidable. But the Internet community spoke up, posting hundreds of thousands of tweets, sending hundreds of thousands of emails to lawmakers, and placing more than a million signatures on petitions. Press attention skyrocketed, and Congress began to pay attention.
Welcome to the post-SOPA world of Internet advocacy, where the community that understands the importance of Internet policy has become larger and more diverse, bringing a host of opinions, strategies, and tactics to the table. This is an electrifying development.
My organization, CDT, directly engages in the hand-to-hand combat of Washington. To counter CISPA, CDT worked with Rep. Dan Lungren (R-Calif.), who drafted an alternative information-sharing bill with tighter definitions and stricter controls. House leadership threw its support behind CISPA. However, the Internet’s reaction was having an impact. Worried about a SOPA-like backlash, the bill’s sponsors were open to making some privacy-enhancing changes, and we began discussions to see if progress could be made. On a regular basis, the loose coalition of CISPA opponents discussed the various strategies we were pursuing.
Good progress was made in narrowing the definition of the information that could be shared with the government. Some progress also was made on limiting the government’s use of information for noncybersecurity purposes, particularly with respect to law enforcement. Yet we could not come to an agreement with the sponsors over two fundamental privacy concerns: the unfettered flow of information to the NSA and the use of the information for national-security purposes unrelated to cybersecurity. We could not drop our opposition to the bill, but we commended amendments that the sponsors made and agreed to focus our advocacy on the amendments that we expected would be made in order and voted on by the full House to address the core issues of the NSA’s role and noncybersecurity uses.
Then, as often happens in the politically polarized world of Washington, things got messy. The White House issued a veto threat, arguing that the bill lacked crucial provisions supported by the administration and that it failed to protect privacy. The House Republican leadership decided not to allow votes on amendments addressing the role of the NSA and the uses of shared information for purposes unrelated to cybersecurity. With those amendments blocked, we publicly reaffirmed our opposition.
The bill passed by a pretty wide margin, as we always assumed it would, although significantly not with enough votes to override a veto. Members of the House never had an opportunity to vote on the key issues of the NSA’s role and the wide uses permitted of cybersecurity information. But contrary to the purveyors of the second meme—that no good came from direct engagement—the amendments to improve privacy we had discussed with the bill’s sponsors all passed. And they did improve the bill.
Importantly, the definition of “cyberthreat information” was narrowed (PDF). As introduced, the bill could have allowed ISPs to disclose to the government entire streams of private communications. An amendment was adopted to permit sharing only of information “directly pertaining to” a cyberthreat, vulnerability, attack, or unauthorized access. The amendment also made it clear that violating terms of service is not a cyberthreat. This was probably the most-important amendment.
For those who believed that victory on CISPA could be defined only as a complete SOPA-like rejection of the bill, this progress may be cold comfort.
Another amendment made it clear that the bill does not authorize the use of government-controlled monitoring devices in private networks. There has been a long-running controversy over the desire of some in government to insert a cybersecurity system known as EINSTEIN, built with the assistance of the NSA, into communications networks to monitor private traffic. At least the amendment made it clear that nothing in CISPA could be interpreted as wiping out laws limiting the use of such government-designed and -controlled devices.
A third amendment restricted law-enforcement use of cyberthreat information to certain crimes. The bill as introduced would have permitted the government to use cyberthreat information to investigate and prosecute any crime.
For those who believed that victory on CISPA could be defined only as a complete SOPA-like rejection of the bill, this progress may be cold comfort. But the diverse coalition that came together in short order to rally against CISPA made a difference. The final bill, with its modest but important privacy improvements, now becomes the floor rather than the ceiling as the debate moves to the Senate.
We are still at the beginning of the process, and there is much work to be done. But the Internet community should take pride: it has already made a difference on CISPA.
We have much to learn as our community grows and as we work to understand and harness our different strengths and roles in support of the open Internet. But going forward on cybersecurity, it is clear that Congress will pay close attention to Internet users’ concerns. Keep it coming.