Congress Braces for Battle Over Cybersecurity Bill
Growing privacy concerns may doom a new bill to protect against cyberattacks. By Philip Bump.
You probably don't want to be stuck on a train in a tunnel under a river because hackers have shut down your city's infrastructure. But you also probably don't want Facebook sending the information it has about you to the National Security Agency.
Our networks and social tools are used as both as conduits and targets for attack by criminals and hackers. Perhaps inevitably, they've become the latest battleground for the tensions between civil liberties and national security. We want to ensure our ability to cripple criminal activity while preventing intrusions into our personal privacy. We want the government in the criminals' business, but not our own.
Drawing a line between privacy and security is never easy. It is far more difficult when the line is being drawn on Capitol Hill—particularly right now.
The House begins debate this week on a bill dubbed the Cyber Intelligence Sharing and Protection Act, or CISPA. The legislation creates a two-way street for information to be shared between the government and companies that do business on the Web: Internet service providers, social media companies, telecommunications firms. If enacted, CISPA would let the government, when necessary, provide otherwise restricted information about cyberthreats to private sector partners. The companies, meanwhile, would be free to share information about user behavior with federal authorities.
In a stroke of bad luck for CISPA's primary sponsors, Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.), the atmosphere for such legislation at the moment is not exactly welcoming.
When CISPA was first introduced in late November, the legislation quickly gained supporters. To date, more than 110 members of the House have signed on as co-sponsors; industry heavyweights like Microsoft, Intel, and Facebook have written letters of support; organizations like the U.S. Chamber of Commerce and the Heritage Foundation have given a thumbs up.
But now opponents are gearing up, focusing heavily on a key provision: companies sharing information with the government. Last week was declared a "week of action" by CISPA opponents, including such civil liberties organizations as the ACLU, libertarian groups and consumer advocates. (This letter gives a good sense of the range of opposition.) Politicians have been less vocal in opposition, though The Daily Beast learned on Friday that Rep. Raul Grijalva (D-Ariz.), co-chairman of the Congressional Progressive Caucus, has come out in opposition to the bill.
The opponents generally believe that CISPA encroaches too greatly on personal privacy. The Electronic Frontier Foundation (EFF), a San Francisco-based nonprofit, is one of the organizations in the forefront of efforts to revise the bill.
"Right now, companies can only look at your communications in very specific, very narrow situations," says Trevor Timm, an activist with the group. "The government, if they want to read them, needs some sort of warrant and probable cause. This allows companies to read your communication as long as they can claim a cybersecurity purpose."
Other components of CISPA are giving opponents pause. The proposed law is exempted from the Freedom of Information Act, for example, which would make it difficult for outside parties like the media to assess the bill's impact. CISPA's information-sharing rules would also exist "notwithstanding" existing privacy laws, meaning that CISPA trumps other normal privacy protections.
A senior staffer for the House Permanent Select Committee on Intelligence defends these provisions, saying some companies were concerned that FOIA requests would expose information they'd provided the government about breaches on their networks. Instead, the staffer notes, the inspector general for intelligence agencies will have the authority to review data collection. The exemption was designed to avoid the need to amend a large number of existing laws and to give the measure flexibility as technology evolves.
But some companies are modifying their stance. Facebook, which in February called CISPA a “thoughtful, bipartisan approach,” now says it would not share user information with the government.
For activists, the statement was welcome—but not the right solution. As Timm put it: "We shouldn't have to beg for companies to respect our privacy."
The EFF and its allies propose several options to improve the bill: requiring companies to ensure that information sent to the government is anonymous, for example, and drawing a brighter line around what does and doesn't constitute "cybersecurity." "National security has turned into such a broad, vaguely defined term," Timm insists, "that it permeates into all aspects of criminal law."
But in an interview with Mashable, Rep. Rogers maintained that national security consists of "any threat to the security of the U.S. that can either be by physical harm or in some ways economic harm."
While Rogers indicated he believes the remaining issues could be resolved, that may be optimistic. The reason has nothing to do with CISPA. It has to do with SOPA.
When the CISPA measure was filed in November, the debate over privacy issues in the Stop Online Piracy Act, or SOPA, was reaching a boiling point. Backers have removed language in an effort to avoid being linked to SOPA—which was shelved after a one-day shutdown of some Web sites—but it hasn't worked.
On Reddit, the enormously popular social website that is often credited with killing SOPA, the two measures are nearly always mentioned in one breath. That CISPA is tied to a deeply unpopular bill makes it particularly hard for supporters to deliver their message.
Organizations that have written in support for the legislation do not appear eager to discuss CISPA. None was willing to speak on record; one pointed to an existing public statement; several others didn't respond to inquiries.
One organization, US Telecom, offered a possible explanation. A staffer there indicates that the company was targeted by members of the gauzy activist collective known as Anonymous, who launched denial-of-service attacks against them. The attack flooded US Telecom's server with requests until nobody, legitimate or not, could access the site. Anonymous released a call-to-action to that effect last week.
Such efforts are deeply misguided. The perception that CISPA would inflict crippling infiltrations of privacy is as rampant as it is erroneous. No rational participant opposes the intent of CISPA—stopping that scenario where you're stranded in the tunnel—just the methodology. "If they took out provisions that allow companies and the government to skirt privacy laws, it's something that we wouldn't fight at all," says the EFF's Timm.
Despite the increasingly political tone, the House intelligence staffer I spoke with seemed confident that a compromise could be hammered out—that the tricky line between privacy and security could be drawn.
He added: "In the end, this is a democracy, right? You always end up with a bill that not everyone is 100 percent happy with."