The Cyber Intelligence Sharing and Protection Act (CISPA) makes some very important people mad as hell, while other companies we trust with our personal info every day are cheering it on. Both sides paint a pretty gruesome picture of what happens if it passes or fails. But how bad will it really get, in either case? And is the protection CISPA gives us worth selling out our freedom?
The Murky Basics
NOTE: If you haven’t already read Dan Rowinski’s excellent overview of CISPA, start there.
CISPA starts off strong, with a goal “to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities.” Unfortunately, the sentence doesn’t stop there, finishing with “and for other purposes.” The last four words are the beginning of the confusion, and it just gets worse. The bill leaves a lot to interpretation on some very important topics, such as defining exactly who constitutes a threat. According to the bill, a cybersecurity threat is someone guilty of “misappropriation of private or government information, intellectual property, or personally identifiable information.” That gives government a wide berth, and it terrifies civil-rights activists.
A Slippery Slope
Rebecca Jeschke, media relations director for the Electronic Frontier Foundation (EFF), thinks the bill’s ambiguity could have catastrophic results: “CISPA gives companies a free pass to bypass all existing privacy law, with vaguely worded provisions and no oversight. It’s a situation ripe for abuse.” How far down the rathole could that abuse go? “If this legislation is passed, Americans will always have the spectre of government surveillance over their online activities – no matter who they are or how private their activities,” Jeschke says.
While that might seem harsh, the EFF isn’t alone. The American Civil Liberties Union claims “this broad legislation would give the government, including military spy agencies, unprecedented powers to snoop through people’s personal information – medical records, private emails, financial information – all without a warrant, proper oversight or limits.”
If CISPA passes, though, we probably wouldn’t notice a thing, at least initially. Unlike SOPA, which outlined more specific, direct (and ultimately, useless) consequences of being labeled a bad guy, CISPA merely removes legal and procedural barriers and adds a veil of anonymity for companies that choose to share customer data. But CISPA is a two-way street, allowing the government to share information about cybersecurity threats with businesses, and who wouldn’t want access to that? “Voluntary” might not be when the government is dangling your company’s security like a carrot on a stick.
Civil-rights organizations aren’t the only ones worried about government leverage. Microsoft, an initial supporter of the bill, recently withdrew its backing, citing concerns about violating existing privacy agreements with its users. Since information sharing remains optional under CISPA, many see Microsoft’s waffling as a tacit acknowledgement that government strong-arming is inevitable. President Obama has cited similar concerns and threatened to veto the bill if it comes across his desk. CISPA will not turn the country into a police state overnight, but with the president and some of the industry’s biggest players backing the EFF’s claims, there’s little doubt that over time, the bill would erode some amount of personal freedom and privacy in the name of security.
Our Only Hope?
Lost liberty has always been the cost of security, and many believe society will give up its freedoms if the reward is great enough. Dutch Ruppersberger (D-MD), one of CISPA’s two sponsors, isn’t shy about what he feels is on the line: “We weren’t ready for 9/11. But we have an opportunity to be ready for [a cyberattack].”
Comparing a hack to the greatest tragedy in American history may be extreme, but Ruppersberger has a point. Foreign hackers have already disrupted satellite operations, and they steal as much as $400 billion in trade secrets each year. An organized attack on a traffic grid or power plant could absolutely lead to real-world deaths. Clearly, we’re underprepared, and we need to do something. If CISPA doesn’t pass, are we screwed?
According to Paul Sweeting, principal at Concurrent Media Strategies, not really. To Sweeting, there’s not a lot of upside to the bill. His evidence? The people most familiar with CISPA don’t seem to believe in it. “I think it’s fair to assume, in light of President Obama’s threatened veto of the bill, that the White House, at least, does not believe the bill as written would be particularly effective,” Sweeting says. “This administration has not exactly been shy about putting its paws on the Internet in the interests of ‘national security,’ or about aggressive measures to protect the intellectual property of U.S. businesses. So if the White House is willing to torpedo CISPA, I think we can assume that its impact on cybersecurity would be limited, even if it passes.”
And what about the coalition of business backers, including Facebook, AT&T, Symantec and other tech heavyweights? Sweeting thinks they’re just in it for a free pass. He claims they’re “mostly interested in the liability exemption and don’t really believe it would have much effect on security. That’s why I think you see some of them going wobbly on their support now (e.g., Microsoft), as the opponents of the bill have gained some traction in the committee for tightening the exemption.” It’s worth noting that nearly all of the CISPA supporters were against SOPA, which would have forced tech companies to police their own content.
If that’s the case, a more specific bill that everyone can support might be worth the wait. After all, as the EFF points out on their website, CISPA does nothing to reduce the number of exploitable vulnerabilities that facilitate the vast majority of exploits, so with or without CISPA, the bad guys aren’t going away any time soon.
Images courtesy of Shutterstock.
