CISPA Still Fundamentally Flawed
What a difference a year didn’t make. On Wednesday, House Intelligence Committee Chairman Mike Rogers and Ranking Member C.A. Dutch Ruppersberger reintroduced the Cyber Intelligence Sharing and Protection Act, or CISPA, the same bill that passed the House last April over the opposition of civil liberties and Internet freedom groups and despite a Presidential veto threat.
Much has happened since last year’s CISPA battle, including significant progress on a Senate cybersecurity bill that had stronger privacy protections and the issuance just this week of an Executive Order on cybersecurity that required privacy be protected in the very design of federal cybersecurity programs. And yet, CISPA has been reintroduced as it passed the House last Congress, still bearing the flaws that gridlocked progress last year on the critical but difficult issue of information sharing.
CISPA’s flaws are two-fold: First, the bill creates a sweeping cybersecurity exception to all of our hard won privacy protections and then encourages (through grants of immunity) companies to share private Internet communications and information directly with the NSA, a military intelligence agency that operates secretly with little public accountability. Second, it allows that private information, once it is in the hands of the military, to be used for purposes completely unrelated to cybersecurity.
We do need to figure out how to improve information sharing on cyberthreats among companies and between the government and the private sector. The new Executive Order should increase the flow of cyberthreat information from the government to the private sector. That is an important step forward. The next issues to be addressed – allowing companies to share information with each other and with the government – may require changes to current privacy laws, but those changes must be narrowly tailored.
Cybersecurity information sharing legislation should restrict the government from using cyberthreat information received from the private sector for non-cybersecurity purposes, and it should make the civilian-led Department of Homeland Security the focal point of cybersecurity efforts aimed at the private sector. Congress should not allow cybersecurity information sharing to become a back door wiretap and general intelligence collection tool. CDT has consistently argued that we can protect both cybersecurity and privacy, and we believe that is especially true of the information sharing issue.