Perceiving Cyberthreat Info Sharing BillLawmakers Offer Differing Visions of CISPA's Privacy Protections
Privacy and civil liberties protections, like beauty, are in the eye of the beholder, at least when it comes to legislation to get businesses and governments to share cyberthreat information.
The debate over the Cyber Intelligence Sharing and Protection Act, which passed the House of Representatives by a 288-127 vote April 18, has centered on whether the bill known as CISPA provides citizens sufficient privacy and civil liberties protections. The bill's bipartisan sponsors contend amendments added to the legislation furnish those safeguards. But a handful of Democratic lawmakers and President Obama remain skeptical [see White House Threatens CISPA Veto, Again].
The two sides are reading the same bill and coming to different conclusions.
The two sides are reading the same bill and coming to different conclusions. What are their views, and why do they differ on what the legislation says?
Rep. Adam Schiff of California is among a handful of Democrats who believe cyberthreat information sharing can be achieved with proper privacy safeguards by tweaking the legislation to be more specific about how business and government treat content found in intercepted messages, including getting businesses to anonymize personally identifiable information, or PII. Speaking on the House floor on April 17, Schiff says the legislation needs to do more to assure that personal information isn't shared with the military, including the National Security Agency.
Plus, Schiff says, immunity protections in the bill extended to businesses to encourage them to share cyberthreat information are too broad, and must be reigned in. The bill should "encourage the private sector to take reasonable steps to make sure it does not compromise privacy interests when it's not necessary to do so to protect cybersecurity," he says. CISPA critics contend businesses could hide behind the bill's provisions to protect themselves from lawsuits from sharing information that doesn't involve cyberthreats.
Rep. Mike Rogers, the Michigan Republican and CISPA's chief sponsor, says the bill was never about sharing personally identifiable information, saying the information being shared are the 0s and 1s that represent code that could contain malware that threaten critical IT systems. CISPA, he says, isn't about the written content in a message. Nonetheless, Rogers contends amendments to the bill have added four layers of privacy protection. In addition, a new amendment explicitly states that the Department of Homeland Security, a civilian agency, would serve as the government's contact with industry in sharing cyberthreat information. (Opponents argue that still wouldn't prevent the NSA and military from accessing the content in shared information.)
Congress prescribing how industry presents cyberthreat information, especially with data shared among businesses, is a nonstarter among most GOP lawmakers. Rogers says government has no role in telling business how to anonymize personally identifiable information. It's been a fundamental precept among most Republicans during various cybersecurity debates that any bill containing any inkling of regulation of the private sector will not pass. Just look at last year's Cybersecurity Act of 2012. A major reason supporters couldn't stop a filibuster was a provision in the bill that would have the government, working with industry, establish IT security best practices that businesses could voluntarily adopt. Many Republicans felt that provision could lead to regulations, something they abhor.
Speaking on the House floor about CISPA, Rogers echoed that stance: "Let us not move to get the government into regulating aspects of the Internet between private-to-private (business dealings). ... Keep the government out of it. That's what we decided to do. We came to a very sensible place that protects that PII - personally identifiable information - and allows the government to stay out from regulating the Internet."
Both sides agree that cyberthreat information sharing is crucial to protecting critical information, systems and networks. But will lawmakers' perceptions of the role of government and the privacy and civil liberties protections CISPA promises to deliver prevent the bill from ever becoming law?