Congress seems intent on passing cybersecurity legislation, but between the demise of SOPA (Stop Online Piracy Act) and election year distractions, it’s hard to see how related legislation could advance beyond Capitol Hill this year. However, there’s a controversial new acronym in town, and it’s crossed an important congressional hurdle. The Cyber Intelligence Sharing and Protection Act (CISPA), or H.R. 3523, passed the House on April 26 amid heated debate, and is now headed the Senate. In the interest of warding off cybersecurity threats, the bill allows for easier sharing of user information between intelligence agencies and web companies, social networks and Internet service providers.
Why should we pay attention to CISPA? Because through CISPA’s lens, domestic cybersecurity migrates out of the civilian sphere and becomes an intelligence activity, so different rules apply. This is a significant paradigm shift. While CISPA doesn’t require companies to necessarily violate their terms of service by sharing user information with the government, it does allow them to do so “notwithstanding any other provision of law.” A company acting on any “cybersecurity threat” would be protected by legal safeguards under CISPA, as long as it acted in “good faith.”
CISPA’s sponsors contend that the legislation is a necessary tool to fend off cybersecurity threats from China and Russia, and that it “protects privacy by prohibiting the government from requiring private sector entities to provide information.” Under CISPA, a company that protects itself or other companies against “cybersecurity threats” can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the threatened company. Opponents argue that “us[ing] cybersecurity systems” could allow for broad interpretation and apply to monitoring email, filtering content, or blocking access to sites. The Obama Administration has threatened to veto the bill, asserting that “cybersecurity and privacy are not mutually exclusive” and singling it out as an intelligence bill, not a security bill, that makes civilians easier targets for surveillance.
Although many critics would like to compare CISPA to SOPA (hoping for a toxic association and follow-on protest that will sink this bill, too), CISPA’s goals and language are not the same as SOPA’s. Big tech companies like Microsoft, AT&T and Facebook (which opposed SOPA), support the bill in its current iteration. For years, tech companies have complained about legal obstacles to sharing cyberthreat information with each other and government agencies. CISPA does not affect their bottom line in the same way that SOPA did. It does not compel them to share information, and in fact it affords them more government cooperation and protection. CISPA may be more onerous from a civil liberties and Fourth Amendment perspective, but not from a business perspective.
As CISPA heads to the Senate, its future is uncertain. In recent years, cybersecurity bills have stalled in the Senate hopper, never to be seen again. The bill passed the House largely along party lines, led by Republicans, but its leverage of national security themes could give it stronger legs to stand on in the Democrat-controlled Senate, especially during an election year. To be sure, privacy advocates will come after this bill and come after it hard, and it is an important benchmark in the complex intersection of government and Internet interests.