Visions of a New CISPA
Last month the Senate introduced a bill called the Cyber Threat Sharing Act, which would encourage companies like Google to share customer data and divulge the details of security threats and breaches with the NSA and other government agencies.
More recently, the House Intelligence Committee has drafted The Protecting Cyber Networks Act. Both of these bills are largely in response to last year’s Sony Pictures Attack, which was deemed a threat to National Security due to the level of access the criminals, believed to be foreign, were able to gain.
A similar bill was in congress in 2013 but was very divisive and received no support from the White House. It was
called the Cyber Intelligence Sharing and Protection Act, or CISPA. Many of the elements in the new bills are very similar to CISPA and the bills the changes that were made to it. The overall national security objective is, according to the government, to provide companies the ability to effectively communicate accurate threat information with the government without fear of being litigated against. But, looking deeper, the bill appears to expand government powers.
The bill specifically authorizes, if not downright encourages, companies to monitor the activities of their customers. This includes e-mail and other communications data. For perspective:
Notwithstanding any other provision of law, a private entity may, for a cybersecurity purpose, monitor […] information that is stored on, processed by, or transiting an information system
monitored by the private entity under this paragraph.
This precludes any user agreement the user may have agreed to, goes beyond current statutes which a violated user might use to sue a company for snooping on them, and basically includes everything that is transacted on the Internet. “A cybersecurity purpose” is a very broad way to authorize such conduct, given that almost anything a user does on a system could potentially have something to do with its network security.
The major difference between this bill and the old CISPA bills is the requirement of anonymity as far as data which is “not directly related to” a cybersecurity threat. Again, this can be vague. If a thousand users receive a piece of malware that then infects a network and subsequently renders it insecure and unstable, will they all have their personal information reviewed by the authorities in the resulting investigation? This part of the bill goes:
A non-Federal entity sharing a cyber threat indicator pursuant to this Act shall, prior to such sharing, take reasonable efforts to […] implement a technical capability configured to remove any information contained within such indicator that the non-Federal entity knows at the time of sharing to be personal information of, or information identifying, a specific person not directly related to a cybersecurity threat.
The bi-partisan bill has a lot of support in congress, with many feeling that something has to be done to prevent attacks in the future. The existing laws regarding computer security have long made many of the things that have caused major breaches of the last ten years illegal, but they haven’t effectively stopped with any regularity the attacks. What is it that makes the representatives believe that anything will change with a new law?
Representative Adam Schiff told the press, “We’re light years ahead of where we were last session,” in reference to the opposition that the previous bills faced due to privacy concerns. But Americans’ right to privacy are not all that’s on the line here.
Images from Shutterstock.