Feb 14, 2013 (08:02 AM EST)
CISPA Cybersecurity Bill, Reborn: 6 Key Facts
Read the Original Article at InformationWeek
CISPA last year passed the House, despite facing strong opposition from civil liberties groups and the Obama administration. But the bill ultimately died in the Senate, which was pursuing its own cybersecurity legislation.
Could CISPA 2.0 succeed? Here are six related facts:
1. Original Bill: All Carrot, No Stick.
The original CISPA, written by Mike Rogers (R-Mich.), the House Intelligence Committee Chairman, together with ranking member C. A. Dutch Ruppersberger (D-Md.), and introduced in November 2011, was designed to facilitate two-way information sharing between intelligence agencies and private businesses. Notably, the bill would have legally protected from prosecution any business that shared information about its customers or employees -- including activity on Facebook and email -- with intelligence agencies. Likewise, intelligence agencies were allowed to collect data from businesses as needed "to protect the national security of the United States."
[ Can you -- and should you -- strike back at attackers? Read Offensive Cybersecurity: Theory And Reality. ]
Nebulous language and fears of unchecked surveillance helped ensure the bill's demise. The White House threatened to veto the bill, largely over related privacy concerns. In addition, the bill would have provided classified data to the private businesses that run the vast majority of the so-called critical infrastructure, but not required the businesses actually do anything with the information.
2. Privacy Questions Remain.
Privacy rights groups last year claimed victory when CISPA failed, and they've vowed to challenge any subsequent efforts to field cybersecurity legislation that doesn't include adequate privacy protections. "CISPA offers broad immunities to companies who choose to share data with government agencies (including the private communications of users) in the name of cybersecurity," said Mark M. Jaycox, a policy analyst and legal and legislative assistant at Electronic Frontier Foundation, in a blog post. "It also creates avenues for companies to share data with any federal agencies, including military intelligence agencies like the National Security Agency."
But Rep. Adam Schiff (D-Calif.), a member of the House Intelligence Committee, this week told The Hill that he's concerned about the shortcomings in the previous bill, both on the privacy and critical infrastructure security front, and plans to address these Thursday when the House Intelligence Committee holds its first cybersecurity hearing of the year. "I do think CISPA needs to be strengthened by protecting personally identifiable information and by including critical infrastructure -- it's a very necessary piece," he said.
3. Executive Order Includes Information-Sharing Provisions.
The reintroduction of CISPA came one day after President Obama signed a White House cybersecurity executive order, which he announced in his State of the Union address. "We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems," said Obama. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
The executive order touches on national cybersecurity and information sharing as well as related privacy requirements. On the information-sharing front, notably, "it expands the Department of Homeland Security's Enhanced Cybersecurity Services program to provide near real-time sharing of information on cyber threats with critical infrastructure companies and state and local governments," said White House cybersecurity coordinator Michael Daniel in an overview of the executive order.
According to Daniel, the executive order also "directs federal agencies to provide timely notification to companies if we have information indicating that a company is the target or victim of a cyber intrusion," which, notably, the FBI already appears to be in the habit of doing. Finally, the executive order tells the Department of Homeland Security "to expedite the processing of clearances for appropriate state and local government and private sector personnel," he said, to encourage better sharing of classified information.
4. Civil Rights Groups Question Need For CISPA.
One reaction to the reintroduction of CISPA after its April 2011 demise has been: why bother? "Here we are, ten months later, with a much-deserved veto threat from the administration, a smarter Senate alternative, and an executive order that will address part of the information-sharing issue -- yet the House starts with the same old privacy-busting bill as before," said Michelle Richardson, legislative counsel for the ACLU, in a blog post.
In other words, privacy rights groups remain wary of CISPA, which the Center for Democracy and Technology previously derided not as cybersecurity legislation, but "surveillance legislation." Obama's cybersecurity order, by contrast, includes no legal protections for businesses that share people's personal information with the government, and instructs government agencies to report on the privacy and civil liberty impact that their cybersecurity programs are having.
5. CISPA Would Have Force Of Law.
Whereas the executive order only instructs the administration about how to proceed, one upside to cybersecurity legislation is simply that it would have the force of law. For example, the government could hold critical infrastructure businesses accountable for making measurable improvements in their information security posture.
After the executive order was signed, both Daniel and NSA director and U.S. Cyber Command commander Gen. Keith Alexander urged Congress to pass some form of bipartisan legislation that would close remaining cybersecurity gaps. The current shortfalls include creating enforceable critical infrastructure security standards, as well as incentives for private businesses to participate.
6. Does Information Sharing Require Laws?
But do private businesses operating in the critical infrastructure need new legislation to enable them to benefit from classified threat intelligence? "Frankly, I believe the tools and processes to facilitate effective and meaningful cybersecurity information sharing already exist; there is no need to reinvent the wheel yet again or add controversial and/or questionable provisions to those processes," said Richard Forno, who directs the University of Maryland Baltimore County's Graduate Cybersecurity Program, in a blog post.
Instead, his recommendation is that CISPA or other cybersecurity legislation focus on "unresolved problems of ... the over-collection of personal information in cyberspace along with its impact on personal privacy and ... the web of over-classifications, clearances and caveats (sometimes redundant and/or moronic in nature) that govern, if not also obstruct, how useful information -- including cybersecurity information -- is shared between interested people and organizations interested in or conducting cybersecurity operations."
Threat intelligence purveyors, heal thyself?
Attend Interop Las Vegas May 6-10, and attend the most thorough training on Apple deployment at the NEW Mac & iOS IT Conference. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Use Priority Code TLIWEEK by March 2 to save an extra $100 off the early bird price of Conference Passes. Register for Interop today!