Is CISPA SOPA 2.0? We Explain the Cybersecurity Bill

By Wire News Sources on April 26, 2012

by Megha Rajagopalan

Update (4/26): An earlier version of this story said a proposed amendment by Rep. Adam Schiff, D-Calif., had helped gain support for CISPA. Schiff’s amendment, which among other things would further define what’s considered a “cyber threat,” is no longer scheduled for consideration.

The Cyber
Intelligence Sharing and Protection Act
, up for debate in the House of
Representatives today, has privacy activists, tech companies, security wonks
and the Obama administration all jousting about what
it means – not only for security but Internet privacy and intellectual
property.  Backers expect CISPA to
pass, unlike SOPA, the Stop Online
Piracy Act
that melted down amid
controversy earlier this year. 

Here’s a rundown on the debate and what CISPA could mean for Internet
users.

What
exactly is CISPA?

The act, sponsored Rep. Mike Rogers, R-Mich., and Rep. Dutch
Ruppersberger, D-Md., would make it easier for private corporations and U.S.
agencies, including military and intelligence, to share information related to “cyber
threats.” In theory, this would enable the government and companies to keep
up-to-date on security risks and protect themselves more efficiently. CISPA
would amend the National
Security Act of 1947
, which currently contains no reference to cyber security.
 Companies wouldn’t be required to
share any data. They would just be allowed to do so.

Why should
I care?

CISPA could enable companies like Facebook and
Twitter, as well as Internet service providers, to share your personal
information with the National Security Agency and the CIA, as long as that
information is deemed to pertain to a cyber threat or to national security.

How does
the bill define “cyber threat”?

The bill itself defines it as information “pertaining to a vulnerability of” a system or network — a definition that opponents have criticized as too broad. The bill gained support after sponsors agreed to allow votes on several amendments they said would make concessions to privacy activists; one aims to narrow the definition of “cyber threat.”

When can data be shared?

Rogers said the amended version of the bill would only enable companies and intelligence agencies to share information related to 1) cyber security purposes; 2) investigation and prosecution of cyber security crimes; 3) protection of individuals from death and bodily harm; 4) child pornography; or 5) protection of the national security of the United States.

Why are
privacy activists upset about CISPA?

Privacy activists like the American Civil Liberties Union and the Electronic
Frontier Foundation
contend CISPA isn’t specific enough about just what
constitutes a “cyber threat.” They say it enables Internet companies and
service providers to hand over sensitive user information to intelligence
agencies without enough oversight from the civilian side of government.
Finally, they say it does not explicitly require Internet companies to remove
identifying information about users before sharing.  Opponents contend, for instance, that
Facebook or Twitter could share user messages with the NSA or FBI without
redacting the user’s name or personal details.

CISPA also protects the private sector from liability even if
they share private user information, as long as that information is deemed to have been shared for cybersecurity or national
security purposes. Even though sharing is voluntary and not required under the
law, privacy activists say the legal immunity CISPA provides would make it easy
for the government to pressure Internet companies to give up user data.

What kind
of information can be shared?

 Private companies and
government agencies can share any information that pertains to a “cyber threat”
or that would endanger national security. That could include user information,
emails, and direct messages. Companies would be allowed to share with each
other as well as the government. The government is not allowed to proactively
search company-provided information for purposes unrelated to cyber security,
but opponents say this would be tough to enforce. The bill does not place any
explicit limit on how long that information can be kept. Several proposed amendments would limit the amount and kinds of information
that can be shared, but it remains to be seen which — if any — will
be adopted.

Is CISPA
basically SOPA 2.0?

No, it’s very different.

SOPA was about intellectual property; CISPA is about cyber
security, but opponents believe both bills have the potential to trample
constitutional rights. The comparisons to SOPA stem from
language in an earlier version of CISPA that referenced intellectual property.
That wording was removed early on in response to mounting criticism. SOPA would
have strengthened copyright laws, barring search engines and other websites
from linking to sites that violated intellectual property regulations. That
prompted a First Amendment concern from critics that it would give government
the power to block websites wholesale, trampling free speech. CISPA’s liability
shield, on the other hand, has sparked a concern based on the Fourth Amendment,
which protects against unreasonable search and seizure. Opponents contend the
law would make it too easy for private companies and the intelligence community
to spy on users in the name of cyber security.

Why are
some of the tech companies that protested SOPA, like Facebook and Microsoft,
now
supporting this bill?

CISPA gives Internet companies the ability to share threat information
with intelligence agencies and receive information back from them,
an ability they say would enable them to deal with cyber threats more
effectively. It does not compel them to protect users’ privacy (though a
variety of proposed amendments aim to add more stringent privacy protections). Companies
could not be held liable for divulging a user’s identity or data to the
government if the information relates to a “cyber threat.”

What’s the
Obama administration’s take?

The White House is backing a Senate bill proposed by Homeland Security
and Governmental Affairs Committee Chairman Sen. Joe Lieberman, I-Conn., and
has threatened
to veto
CISPA. Officials cite a lack of personal privacy protections.
They say CISPA would enable military and intelligence agencies to take on a
policing role on the internet, which the administration points out is a
civilian sphere.

What is
CISPA’s path forward in Congress?

A vote is set for Friday. CISPA has accumulated more than 100 cosponsors
and will most likely pass the House. “This isn’t about scrambling to meet 218
votes, we are well past that,” co-sponsor Rogers said during a conference call
with reporters. But the Senate is a different story — there, it must
compete with the Lieberman cyber security bill and one from Sen. John McCain,
R-Ariz.

Would CISPA
really make us more secure?

It’s unclear.

Some cyber security specialists note that neither CISPA nor
other cyber security bills in Congress would compel companies to update
software, hire outside specialists or take other measures to preemptively secure
themselves against hackers and other threats. CISPA’s backers respond that the
bill would forestall a “digital Pearl Harbor,” allowing a freer flow of
information for a quicker and more effective response to hackers by both the
government and the private sector.


Go to Source



No comments yet.

Sorry, the comment form is closed at this time.