CISPA, the bill recently passed in the House of Representatives which aims to usher in a new era of cyber watchdogging, has many concerned. The vague language involved worries us all that it may not be direct enough to be truly effective. More to the point, it may be so vague that nefarious companies will use it to compromise the everyman, and we’ll be corralled into a level of compliance we aren’t comfortable with.
This bill passed the House last year as well, then died a slow death in the Senate. President Obama’s administration has some harsh language for the bill, and has threatened it with veto. Is CISPA just evil, or misunderstood?
In 1947, a National Security Act was enacted. Signed into effect by President Truman, the bill effectively re-organized our security forces, as well as created the Defense Secretary position. The first Secretary of Defense, James Forrestal, found his powers a bit limiting for what he needed to accomplish. In 1949, the Department of Defense was created to allow Forrestal the governing oversight he needed.
CISPA is an amendment to the National Security Act, which of course didn’t imagine or allow for cyber security concerns. The bill describes a cyber security issue as the following: information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from either ‘efforts to degrade, disrupt, or destroy such system or network'; or ‘theft or misappropriation of private or government information, intellectual property, or personally identifiable information.’
The bill goes on, in quick order, to mandate The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and utilities and to encourage the sharing of such intelligence. It dictates that those who information is shared with must have the proper security clearance, with “the need to protect the national security of the united states”, and “used by a certified entity in a manner which protects such cyber threat intelligence from unauthorized disclosure.”
What about the private sector?
This act marks the first time the government has made a formal attempt to work with private entities on information sharing. Many of us hear that big business and big government will be working in unison, and jump to the conclusion that the government is going to strong-arm the private sector into gathering information, or that companies will coerce the government into doing their dirty work. CISPA safeguards against that.
Section G of the bill reads: Nothing in this section shall be construed to provide additional authority to, or modify an existing authority of, the Department of Defense or the National Security Agency or any other element of the intelligence community to control, modify, require, or otherwise direct the cybersecurity efforts of a private-sector entity or a component of the Federal Government or a State, local, or tribal government. It immediately goes on to note that the bill does not require an information sharing relationship, or that it will alter any existing relationship. It opens doors, but does not force a company through them.
How CISPA defines a threat
We’re just going to let CISPA do the talking, here: The term ‘cyber threat information’ means information directly pertaining to— ‘(i) a vulnerability of a system or network of a government or private entity; (ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network; (iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or (iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity.
The act also notes that simply attempting to gain access to a database is not necessarily illegal. In those situations, which likely violate a Terms of Service agreement, the person(s) responsible would not be subject to immediate legal action under CISPA. Should you attempt to otherwise disrupt or alter the system, then you might have a problem.
Why it’s scary
While CISPA has some very plain language that aims to create open dialogue versus government oversight, we worry. Can we trust the companies we ensure our information with to keep our best interest at heart? That question is best answered individually, as it boils down to what level of trust you have with the website or entity you have a relationship with.
Some of us also tend not to trust our government, or its regulators. We saw SOPA and PIPA come to fruition, which incensed many, just as CISPA has. With every iteration of a new act or bill, we’re left to wonder why this is so important to government. They claim it is in the interest of national security, but is it? Is that a rouse, or legitimate? If the government has specific concerns, we feel those should be addressed specifically.
Time is on our side
CISPA is a vague act, that seems to have a very pervasive effect in mind. It allows for cooperation between government and private entities, and that has some concerned about our fourth amendment. Without a specific, itemized list of worries, we don’t know what to think. An attack could come from anywhere, but so could heavy-handed oversight from those entrusted to ‘protect’ us. Without a properly defined set of parameters, we fear the worst.
If CISPA takes effect, it will take quite a bit of legal precedence to properly define it. Make no mistake, we’ll see people tried under CISPA, and probably in short order. It will take cases like those to really identify the scope and breadth of such an act as CISPA. Patience, even though difficult to exercise, is a virtue.
Amid the talk of “digital bombs’ and or nation being “under attack” lies some salient truth. The hard reality is that we don’t know where terrorism or cyber attacks come from, or where they will be next. This is why a bill like CISPA actually needs to be vague and indirect. It’s very difficult to fight threats to security, be it national or otherwise, when you’ve pigeonholed yourself with guidelines that must be followed strictly.
In a time where there are apps and features designed to examine your daily life through the digital footprint you leave, privacy is eroding. As we become more transparent online, we are increasingly through the looking glass. We enjoy the ability to see when our order from Amazon will arrive via Google Now, yet somehow CISPA enrages us.
At the end of the day, CISPA will not affect most people. Most of us don’t do or say anything overtly incendiary online, and we certainly don’t detail how we’re going to shoot up a school. We’re not going to be arrested and thrown in Guantanamo for simply speaking our mind, and to assume so is sensationalism at its finest.
If CISPA worries you, do something. Sign a petition, or get hold of your state senator… but please make sure to read it first. Every time you read CISPA in this article, it is a link to the actual bill, so please be sure to read through it if you want a real understanding of what it is. This bill may have passed the House, but it did so under partisan guidance. The Republicans carried it through, just like they did in 2012. If history repeats itself, we won’t even have to worry about CISPA passing the Senate. We will, however, have not heard the last of it.