Another U.S. law that threatens the status quo of the Internet is here, and this time it may be worse than SOPA/PIPA. The Cyber Intelligence Sharing and Protection Act of 2011, or CISPA for short, was proposed late last year by US Representative Michael Rogers (R-MI). It attempts to amend the National Security Act of 1947 by adding provisions against cybercrime, which the almost seventy-year-old National Security Act currently doesn’t address.
This new bill would allow companies to gather “cyber threat information” and share it with other companies at their discretion in order to help protect against cyber security concerns. Furthermore, the bill grants power to the Director of National Intelligence to establish the procedures on how companies can share cyber threat intelligence, albeit within certain constraints, as well as granting him the duty to “encourage” companies to do so.
Before we examine the problems with CISPA, however, it is important to realize that giving companies power to protect themselves against hackers isn’t necessarily a bad thing. One need only look at the recent LulzSec debacle to see just how many companies can lose valuable data to a small group of dedicated, knowledgeable hackers. Indeed, proponents of CISPA say that this law does, in fact, establish a necessary framework with which to give companies a better form of defense against such cyber attacks.
Derrick Harris, a technology journalist at Gigaom, makes the following case for giving companies such power.
The idea of sharing cybersecurity information between private companies and the government has merit, especially in a world of increased cyberattacks against organizations in both sectors. If you’re trying to discover patterns in attacks, more data is always better, and web sites are attacked constantly. That they also could have access to classified government data is particularly beneficial.
The problem, then, isn’t what the bill tries to do but rather how it goes about doing that. This is where opponents of the law get really fired up. They argue that this law is too vague and poorly worded. Even Harris mediated his support for the bill with claims that CISPA was “vague and unnecessarily broad.”
The Electronic Frontier Foundation, in particular, has come out against the bill:
At this time, most of the proposed cybersecurity bills grant the government broad powers in the event of a “cybersecurity threat.” Unfortunately, we don’t know what that means. EFF has raised detailed concerns about the potential harm this vague language could do if the existing legislative proposals are passed into law. In brief, broad definitions potentially implicate tools and behaviors that security experts would NOT reasonably consider to be cybersecurity threat indicators. Just using a proxy or anonymizing service such as Tor, encryption to protect your data, or measuring your ISP’s network performance could all be construed as “cybersecurity threats” in some of these legislative proposals.
This is where the problem with CISPA lies: the bill is too poorly worded, meaning that it ends up giving drastically more broad powers to companies than might have been intended. Under CISPA, companies may protect themselves by using “cybersecurity systems” to identify and obtain “cyber threat information.” What do these terms actually mean, though? In the definitions section of the bill, cybersecurity systems are defined as almost anything.
CYBERSECURITY SYSTEM- The term ‘cybersecurity system’ means a system designed or employed to ensure the integrity, confidentiality, or availability of, or safeguard, a system or network, including protecting a system or network from–
‘(A) efforts to degrade, disrupt, or destroy such system or network; or
‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”
What this says is that a cybersecurity system is anything that protects a “system or network”—a vague term in itself—from efforts to degrade, disrupt, or destroy that system, or that would seek to steal almost any kind of information or intellectual property from that site.
That’s actually a really huge definition. This means that companies now have the power to gather information against you if you do something as simple as save an image from a web site, or post a music video you don’t own the rights to on YouTube, or check the IP address of a web site. In fact, if you did something as insignificant as see a picture of someone’s face on a part of a website that wasn’t intended to be public, then companies could utilize their cybersecurity systems to gather “cyber threat information” about you.
So that brings up the other question: what is this “cyber threat information” that companies can gather about you? The bill defines it as such:
CYBER THREAT INFORMATION- The term ‘cyber threat information’ means information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of a system or network from–
‘(A) efforts to degrade, disrupt, or destroy such system or network; or
‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
This is where things get confusing. Cyber threat information is defined almost exactly the same as cybersecurity systems, except that it’s defined as the antagonist. What this means is that something could potentially qualify as both a cybersecurity system and a cybersecurity threat, with the only difference being which side of the fence it’s on.
In other words, if you wind up finding anything that could be legally considered either private or personal information, regardless of whether you did it accidentally or on purpose, you are now a cyber threat and thus subject to information gathering by cybersecurity systems. What’s worse is that there’s no time decay system at work in CISPA, so if you qualify as a cyber threat, then there’s no law that pertains to when you cease being a cyber threat or when companies need to stop gathering information about you and/or delete such information.
Here’s where the danger lies with CISPA: Not only is it pretty easy for someone to be classified as a cyber threat, but companies can then subsequently share all the information they gather about you to any other entity they wish. This includes the federal government, with whom they can share this information for as long as they want without having to anonymize or minimize the content unless they specifically wish to, all with complete legal indemnity from any civil or criminal lawsuit that may be filed against the company in response.
That’s pretty scary stuff, and it has some people up in arms.
Greg Nojeim of the Center for Democracy & Technology highlights the problems that may arise from this bill.
- The bill has a very broad, almost unlimited definition of the information that can be shared with government agencies notwithstanding privacy and other laws;
- The bill is likely to lead to expansion of the government’s role in the monitoring of private communications as a result of this sharing;
- It is likely to shift control of government cybersecurity efforts from civilian agencies to the military;
- Once the information is shared with the government, it wouldn’t have to be used for cybersecurity, but could instead be used for any purpose that is not specifically prohibited.
He also further commented on what the bill could mean for those who are deemed to be cyber threats:
[T]he bill goes much further, permitting ISPs to funnel private communications and related information back to the government without adequate privacy protections and controls. The bill does not specify which agencies ISPs could disclose customer data to, but the structure and incentives in the bill raise a very real possibility that the National Security Agency or the DOD’s Cybercommand would be the primary recipient.
Essentially, as Nojeim underlines, that’s where CISPA becomes a great danger. Although the idea of giving companies the power to protect themselves against legitimate threats is important, CISPA is ignorant, vague, and doesn’t seem to understand how the Internet works.
The biggest problem isn’t just CISPA, though. They might receive less coverage than CISPA, but right behind CISPA are several other cybersecurity bills, such as HR 3674, S 2105, and S 215, most of which are just as dangerous. When looking at this recent spate of legislation, it quickly becomes apparent that Congress knows that it needs to fix the problems that the Internet presents to businesses. However, if SOPA/PIPA, CISPA, and the various other cybersecurity bills have taught us anything, it’s that they just don’t know how to do that. Until we get someone who understands the Internet drafting legislation in Congress, both the House and the Senate will continue to write laws that just don’t fully understand the issues they confront and thus end up creating confusing and haphazard precedents instead of resolving the situation.
The sad thing about all this, though, is that we can only shoot down so many laws before Congress gets one through. The protests against SOPA/PIPA, for example, relied heavily on the support of major corporations, such as Wikipedia. This time, however, most of the major corporations are on CISPA’s side. Following the money trail behind the bill leads you right to the front door of Verizon, Apple, Microsoft, Facebook, Oracle, AT&T, Lockheed Martin, and numerous others. That’s a pretty intimidating group of companies, and it shows that the war against CISPA might not be as successful as the war against SOPA/PIPA.
So either Congress starts actually trying to figure out how the Internet really works soon, or the future of the Internet might be pretty grim.