Last week CISPA, the cybersecurity information-sharing bill, passed the House. Though fundamentally flawed, the bill is very different from when it passed the House a year ago, demonstrating the power of a growing Internet advocacy community that sometimes underestimates its own influence. Two game-changing achievements stand out.
When CISPA was reintroduced this year, CDT and others pointed out that, once again, the bill allowed information shared with the government for cybersecurity purposes to be used for national security purposes unrelated to cybersecurity. In the face of criticism that this loophole would turn CISPA into a backdoor intelligence-gathering operation, the House Intelligence Committee amended the text to clearly prohibit such uses. Chalk up one significant victory for Internet advocacy.
A second major flaw in the bill was that it would have changed decades of federal policy by shifting control over private sector cybersecurity programs to a super-secret military agency, the National Security Agency. Last year, in the face of criticism, the House leadership blocked any vote on the question of civilian versus military leadership. This year, in the face of ongoing advocacy about the dangers of giving a military agency the lead role in cybersecurity efforts for private sector networks, an amendment was allowed and passed. The amendment was poorly drafted and may not actually say what its sponsors or advocates intended, but there was no doubt that Members thought they were voting to reaffirm civilian leadership. There is no going back now. That House vote changed the dynamic of the debate. The lead Senate bill last year, and the White House, had already embraced civilian control. Any future cybersecurity bill must give the lead role to a civilian agency. A second significant victory for Internet advocates.
Other fundamental flaws in the bill remain. It still does not require private network operators to take some care in ensuring that the data they disclose to the government actually pertains to a cyberthreat and does not include extraneous material on innocent communications. Its overbroad immunity provisions invite, and insulate from civil and criminal liability, reckless cybersecurity decisions that damage others. For these reasons, CDT still opposes the bill.
But the fact is that a powerful privacy campaign against CISPA forced substantial changes in the bill that seemed impossible even a month ago.
To define what happened in the House as a complete failure for Internet privacy would ignore significant improvements in the bill. Any thinking that those improvements came out of thin air seriously underestimates the movement that many have been working to build since the SOPA/PIPA victory early last year. It would send a message to the grassroots that they cannot make a difference when in fact, they did, and their power is growing. The message to friend and foe alike should be that the Internet advocacy community must be taken seriously.
If and when a cybersecurity bill moves to the Senate, the story about House passage of CISPA should not be about failure. Instead, the message is that Internet advocates bent the arc of the debate. Not every success will have a SOPA-like simplicity. Those absolute victories will be few and far between. But House action on CISPA shows that the movement for the open Internet does influence the shape of legislation and policy. Let’s get ready for what lies ahead.