Zombie law: CISPA cyber bill resurrected from the dead

13 Feb, 2013 18:07 / Updated 12 years ago

The two US lawmakers responsible for last year’s failed cybersecurity bill known as CISPA are reintroducing the act, and renewed interest from Washington means it might have a fighting chance this time at being signed into law.

Less than ten months after the Cyber Intelligence Sharing and Protection Act stalled on Capitol Hill after being overwhelmingly approved in the House of Representatives, the architects of bill that’s been called “Worse than SOPA” are once more pitching their effort to politicians. If approved, CISPA could reshape the way American businesses interact with the federal government by setting up a system for private sector entities to share cyberthreat information with any agency administered by Uncle Sam, a notion being called a national security necessity by an increasing number of figures in Washington. Critics of the act condemn the bill’s vague verbiage, though, and less than one year ago orchestrated an online opposition movement with hopes of snuffing CISPA for good. But while the bill — the brainchild of Rep. Mike Rogers (R-Mich.) and Sen. Dutch Ruppersberger (D-Calif.) — failed to garner the support needed within Washington to make it become a law last year, urging from both Congress and the commander-in-chief — and coupled with a new slew of alleged cyber intrusions — could help CISPA be added to the books in no time. CISPA, a bill “to provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities,” was approved by the House by a 248-168 vote last April, but ended in political purgatory after lawmakers in the Senate failed to see eye-to-eye with their congressional counterparts. Even had CISPA made it that far, though, aides for US President Barack Obama insisted problems with the bill would make it the subject of an executive veto. During just a few short months, however, the White House has rallied support for cybersecurity legislation, and just this week Pres. Obama signed an executive order to establish the framework needed to protect the country’s critical and wired infrastructure in lieu of Congress’ inability to do so on their own part, whether through CISPA or by other means. Pres. Obama announced the order during his State of the Union address Tuesday evening, and added a plea to the politicians in his audience to work towards a Legislative Branch solution.“Earlier today, I signed a new executive order that will strengthen our cyber defenses by increasing information sharing, and developing standards to protect our national security, our jobs and our privacy. Now, Congress must act as well, by passing legislation to give our government a greater capacity to secure our networks and deter attacks,” Pres. Obama said.An executive order from Pres. Obama isn’t exactly a rare occurrence, and a laundry list of directives signed in the wake of last year’s Sandy Hook massacre aimed to establish gun reform was faced with furious opposition on the Hill. Either way, though, the orders he’s made from the Oval Office have led some lawmakers to suggest that the commander-in-chief is bypassing both Congress and the Constitution.“Obama's increasing reliance on executive orders to push policy and skirt congressional deliberation is worrisome,” Sen. Ted Cruz (R-Texas) tweeted this week.But in a joint statement issued by the officers of Rep. Rogers and Sen. Ruppersberger on the day of the annual address, the CISPA co-authors said they were “pleased” with the president’s remarks and agreed that “our biggest barriers to bolster our cyber defenses can be fixed only with legislation.” CISPA, said the lawmakers, will “help US companies better protect themselves and the privacy and civil liberties of their customers” from international hackers per the president’s request.“This is clearly not a theoretical threat – the recent spike in advanced cyberattacks against the banks and newspapers makes that crystal clear: American businesses are under siege,” Rep. Rogers said. He added that American companies need to have their networks better protected because, as he explains in an op-ed published last week in The Detroit News, “thousands of highly-trained computer engineers wake up” every morning in China with the mission to “Steal American intellectual property that the Chinese can in turn use to compete against us in the international market.”“It is time to stop admiring this problem and deal with it immediately,” Rogers added this week. “Congress urgently needs to pass our cyber threat information sharing bill to protect our national security, our economy and US jobs.”To CISPA’s critics, though, one very important item isn’t taken into consideration when it comes to offering protection. Opponents of the bill insist that approving CISPA could have damning repercussions for personal privacy and would put off-the-record conversations online and in the hands of any government investigator who can call that data relevant to a case. For that reason, it’s been opposed by the Electronic Frontier Foundation, the American Civil Liberties Union, the Center for Democracy and Technology and others. Even Mozilla, a leading Silicon Valley software maker, strayed from the pack last year and said, “While we wholeheartedly support a more secure Internet, CISPA has a broad and alarming reach that goes far beyond Internet security,” “The bill infringes on our privacy,” Mozilla’s privacy and public policy official said in a statement to Forbes last year.Even still, others say the overly vague language of the bill itself could lead to broad interpretation. Speaking to RT when CISPA was last up for vote in April 2012, Demand Progress co-founder Aaron Swartz said the act has “all the censorship problems” of other cyber legislation that’s been proposed in under the Obama administration such as SOPA and PIPA — the Stop Online Piracy Act and Protect IP Act, respectively — but warned that CISPA is “incredibly broad and dangerous” since “it also goes much further and allows them to spy on people using the Internet, to get their personal data and e-mails.” All, of course, in the name of cybersecurity. But as Congress is still only in its infancy in terms of understanding computers, that ill-defined term can allow for Washington to interpret CISPA in a variety of ways. “CISPA is essentially an Internet monitoring bill that permits both the federal government and private companies to view your private online communications with no judicial oversight, provided, of course, that they do so in the name of cyber security,” former presidential hopeful and congeressman Ron Paul said on the campaign trail last year. Since CISPA was first introduced in November 2011, it’s undergone a handful of revisions and has received a number of amendments. But while those changes have been touted as the installation of privacy safeguards for the public by some, others say some of CISPA’s edits have made it an even worse act. One amendment, approved in April’s House vote, was celebrate by some CISPA supporters because it refined the government’s use of shared cyber threat information under the bill to five specifics purposes: cybersecurity; investigation and prosecution of cybersecurity crimes; protection of individuals from the danger of death or physical injury; protection of minors from physical or psychological harm; and protection of the national security of the United States. When that amendment made it to TechDirt.com blogger Leigh Beadon last year, she said it was “absolutely terrible” because, instead of limiting the government’s power, it really only expanded the scope of “cybersecurity” in terms of what the feds can and can’t do with private data.“Basically it says the Fourth Amendment does not apply online, at all,” Beadon wrote. “Basically this means CISPA can no longer be called a cybersecurity bill at all. The government would be able to search information it collects under CISPA for the purposes of investigating American citizens with complete immunity from all privacy protections as long as they can claim someone committed a ‘cybersecurity crime.’”During Pres. Obama’s Tuesday evening address, members of the international hacktivist movement Anonymous launched an unsuccessful cyber battle against the White House in protest of the administration’s relentless war on the Internet. “We reject the State of the Union. We reject the authority of the President to sign arbitrary orders and bring irresponsible and damaging controls to the Internet,” read a statement made by the group that morning, which included a call to arms for Anons to disrupt that evening’s SOTU broadcast. Now with CISPA about to be formally reintroduced, they face one more cyber hurdle. If they want to fight back, though, this time they’ll likely face an uphill battle unheard of since last year’s protests.