Does the Cyber Intelligence Sharing and Protection Act (CISPA) have any chance of passing into law?
The cybersecurity bill has come under sustained assault by civil liberties groups, who have criticized it for using overly broad language, including the definition of what constitutes a "cyber attack" and which types of data can be shared. They worry that it could result in information sharing programs that compromise people's current privacy protections.
"Many of the major civil liberties groups like EFF and ACLU have legitimately criticized the substance of the bill, which would give companies a free pass to share their customers' private information with the government," said security and privacy researcher Christopher Soghoian on his blog.
Even the White House weighed in Tuesday, though it was careful not to name any specific bills--and CISPA isn't the only proposed cybersecurity legislation in the House. "The nation's critical infrastructure cyber vulnerabilities will not be addressed by information sharing alone," National Security Council spokeswoman Caitlin Hayden said in a statement confirming that the Obama administration wouldn't stand for information sharing in the absence of privacy protections.
[ For more on the privacy concerns about CISPA, see CISPA Bill: 5 Main Privacy Worries. ]
"Information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens," she said. "Legislation without new authorities to address our nation's critical infrastructure vulnerabilities, or legislation that would sacrifice the privacy of our citizens in the name of security, will not meet our nation's urgent needs."
Of course, draft bills aren't fixed in stone; they can be revised or amended, and that's just what's been happening with CISPA. "In recent redrafts, the bill has been revised to include data minimization language to reduce the amount of detailed information businesses would share with the government," said Bill Weber, a partner at the law firm Baker Hoestler, on the Data Privacy Monitor blog.
In addition, "the bill now eliminates references to theft of [intellectual property] that raised concerns similar to the anti-piracy/anti-counterfeiting bills that withered in the face of opposition earlier this year," he said, referring to SOPA and PIPA. Finally, a revised version of the bill "would also now allow lawsuits against the government for intentional or willful improper disclosure of personal data that's been collected," which could help assuage privacy groups worried about a slide into surveillance--not just sharing--and a repeat of the NSA's warrantless wiretapping program.
If privacy experts see information sharing as dangerous territory, security experts see it as essential for helping private businesses resist today's onslaught of advanced persistent threats (APTs). "The intent behind CISPA is very good, which is that we've really got to do better sharing here," said Harry Sverdlove, CTO of endpoint security firm Bit9, via phone. "So there does need to be some way to do this for companies that want to do this, that protect them from the liability and lawsuits."
On the other hand, how do you translate those requirements into the language of a bill? "As a technologist, I always get queasy if legislation has too many specifics in it--what is information sharing; what is a cyber attack? But the more vague you make the bill, the more it worries privacy organizations," said Sverdlove. "Fortunately, I'm not a legislator, and [I] don't have to do that kabuki dance about how to get specific without getting too specific."
Of course, it remains to be seen whether CISPA--in some form--will pass into law. Sverdlove, for one, thinks it's likely that the bill will get tabled for now but will be used as a blueprint for future cybersecurity legislation. Regardless of whether or not that happens, who would have predicted just a year ago that Congress would now be discussing ways to improve the sharing of threat intelligence between the public and private sectors to help block APTs?
When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)