CISPA Needs Major Surgery – In a Public Operating Room
Written by Greg Nojeim
The Cyber Intelligence Sharing and Protection Act (CISPA, or H.R. 624) has a number of fundamental flaws that threaten civil liberties. The bill is intended to give companies in the private sector clear authority to share more cyber threat information. CDT supports more cybersecurity information sharing. However, CISPA goes overboard in the authorities it grants, it lacks critically necessary civil liberties protections, and it inadvertently authorizes and immunizes conduct that itself constitutes a cybersecurity crime.
We were disappointed when the authors of the legislation re-introduced the same bill that passed the House last year only to stall in the Senate. Nothing was changed to address the many concerns that privacy groups had identified, nothing was changed to address the privacy concerns that drew a White House veto threat, and none of the privacy amendments that the Senate adopted when it considered its own cybersecurity bill were included in CISPA this year.
We are committed to finding the best way to facilitate information sharing between private sector companies and, under appropriate limits, with the government. We believe that the best way to further the public debate about CISPA is to be transparent about what we see as the critical problems in the bill and what we think are the solutions to those problems. Therefore, we are publishing a two-page document identifying eight critical problems in CISPA, with a solution to each. We are also publishing a redline of the bill that shows how it would change if our solutions are adopted. We are conveying these proposals to all members of the House Intelligence Committee.
Our fixes to CISPA would:
- Promote civilian, not NSA, control of the federal government’s cybersecurity program for the private sector;
- More carefully describe the cyber threat information that can be shared;
- Specify which laws would be pre-empted for cybersecurity information sharing, instead of pre-empting all laws;
- Ensure that information shared for cybersecurity purposes is used for cybersecurity, with limited law enforcement exceptions;
- Clarify that the bill does not authorize and immunize computer hacking to obtain cyber threat information from another;
- Add some of the civil liberties protections in last year’s Senate bill.
While we believe that last year’s Senate bill was significantly more protective of civil liberties than is CISPA, it had its own flaws. Like the House bill, its information sharing provisions would pre-empt all law – an approach almost sure to have unintended consequences. The complicated immunity scheme in the Senate bill favored the sharing of cybersecurity threat indicators with the government over sharing within the private sector. Carefully controlled information sharing within the private sector information can be more nimble – and speed counts – and it avoids all the issues that arise when the government obtains what would otherwise be private information.
While we hope that the transparency and public debate that we promote today by releasing these documents will lead to significant improvements in the legislation, we are under no illusions: CISPA has fundamental flaws and we seek significant changes. If they are not made, CDT will continue to oppose the bill.
We also urge the House Intelligence Committee to open its process to the light of day. Last year, the Committee conducted the mark up of CISPA in secret. This fosters distrust and public misunderstanding. This year, it should hold an open mark up of CISPA. Amendments should be published in advance, so they can be assessed.
In short, we think CISPA needs major surgery, we have shown how we think it could be performed, and we’re asking the Committee to do this particular operation in public.