The true intent of CISPA
While the Cyber Intelligence Sharing and Protection Act’s (CISPA) intent is clearly aimed at greater private sector cooperation with federal cyber crime investigations, opponents adamantly maintain that if adopted in its current form, Internet users will lose all protection provided by existing laws to safeguard their privacy.
The debate over CISPA is between proponents who assert that it is essential to strengthen the federal government’s ability to fight cyber threats, and opponents who say the legislation fails to provide adequate privacy protection for U.S. citizens.
This bill, passed by the U.S. House of Representatives in April and which now moves to the U.S. Senate, would allow companies and Internet service providers (ISPs), including large providers such as Verizon and AT&T, to share customer information pertaining to cyber threats with government agencies, such as the National Security Agency (NSA) and the Department of Homeland Security (DHS). The companies would be free to turn over customer records to federal investigators at their discretion.
The legislation’s proponents argue that this level of information-sharing is essential to investigate the constant threat posed by cyber attacks against government agencies and commercial enterprises. These include cyber espionage, and congressional supporters cite, in particular, threats from nation states such as Russia and China.
Support from major companies
CISPA has the support of a number of large tech companies, including Microsoft, Facebook, Oracle, Symantec, Verizon, AT&T and IBM, and defense contractors, such as Boeing and Lockheed Martin. A number of industrial and business associations, including the U.S. Chamber of Commerce, the Business Software Alliance, the CTIA and the National Cable & Telecommunications Association also have advocated for the legislation.
In addition to congressional opponents, a number of privacy advocacy and civil liberties groups, such as the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation, vigorously contest CISPA. At the crux of the opposition, they say, is potential carte blanche for companies to turn over customer information to government agencies without due process of law, including court orders typically required in criminal investigations.
What could this mean for the "average" Web user?
Although the intent of the law is focused clearly on sharing information about cyber threats, the average Internet user should question the possible indiscriminate sharing of private information, or, worst case, sharing of information for other purposes under the pretext of cyber crime investigation. Opponents have described the law as a sort of “virtual wiretapping” of people’s browsing activity without the legal controls exerted outside of the digital realm.
Opposition of prominent hacker groups
Anonymous, the ideologically motivated “hacktivist” group, had been actively engaged against CISPA before its House passage, claiming responsibility for a serious of Distributed Denial-of-Service (DDoS) attacks against Boeing and trade associations TechAmerica and USTelecom.
After the passage, however, Anonymous attempted to change tactics because, it said, DDoS attacks were losing their effectiveness in the face of stronger protection. They called, instead, for street protests against a wide range of companies it cited as CISPA supporters, including high-profile tech targets such as AT&T, Verizon, Microsoft, IBM and Intel, as well as companies such as Coca Cola, Pepsi, Target, Walmart and CVS. The protests, which they called for during May and June, have failed as yet to materialize. They also threatened unspecified action to be taken in late June to “send a strong, swift message” to MasterCard, Visa and American Express.
Anonymous had claimed responsibility for a number of DDoS attacks earlier this year as Congress took up the Stop Online Piracy Act (SOPA), which some mistakenly associate with CISPA. SOPA was aimed at cutting off access to the illegal sharing of copyrighted intellectual property, chiefly entertainment, like music and film. Opponents feared SOPA would restrict the free use of the Internet and stifle commercial development.
What happens now?The question now is what happens when the U.S. Senate takes up the bill. Congress has been trying for years to pass cyber security legislation without success. Legislators have been unable to pass a federal data breach disclosure law to standardize requirements now divided among 40-plus state laws.
The CISPA vote broke along largely partisan lines in the Republican-controlled House. President Obama has threatened to veto CISPA in its present form, saying that it failed to adequately protect Internet user confidentiality and civil liberties. In that context, CISPA might very well undergo significant change in the Democratic Senate if it is to have a chance to allay opponents’ concerns and remove the threat of presidential veto. The Senate’s proposed Cyber Security Act of 2012 is focused heavily on protecting critical infrastructure, which is seen very favorably by the Obama Administration. Like CISPA, it also provides for sharing of information between the federal government and private sector, and has drawn similar concerns from privacy advocacy groups.
About the author
Neil Roiter is director of research at Corero Network Security, the leading global provider of Distributed Denial of Service (DDoS) defense and Next Generation Intrusion Prevention Systems (NGIPS), and editor of the Security Bistro blog. He is best known for his decade of work as a technology journalist, focusing on information security, risk and compliance. Before joining Corero, he was features editor and senior technology editor at Information Security magazine and SearchSecurity.com, and has written about information security from the days of "Internet hooliganism" and hacking for the sheer perverse joy of it, to today's world of cyber crime as global business. An expert in network security, he is often quoted in technology publications.