Modernizing Authentication — What It Takes to Transform Secure Access
On Thursday, the U.S. House of Representatives passed the controversial Cyber Intelligence Sharing and Protection Act (H.R. 3523, CISPA) act, pitting the legislation against a White House veto threat should it clear the Senate. It also drew the ire of online privacy groups that vow to make their objections heard by the Senate.
Sponsored by the chairman of the House Intelligence Committee, Representative Mike Rogers (R - MI) and supported by 112 co-sponsors, CISPA is an amendment to the National Security Act of 1947 that is meant to address security in the Internet age.
Broadly, CISPA contains provisions against hacking activity that targets government or private networks and systems. CISPA also aims to guard against "theft or misappropriation of private or government information, intellectual property, or personally identifiable information." Its passage would facilitate the trading of cyber-threat information between intelligence agencies and private companies service providers.
Several IT and communications companies have signaled support for the bill, including Microsoft, Facebook, AT&T, and Verizon.
According to Congressman Rogers, CISPA will help protect American companies and their intellectual property. After the House vote, he released a statement saying, "We can't stand by and do nothing as U.S. companies are hemorrhaging from the cyber looting coming from nation states like China and Russia."
Hinting at the dangers of vetoing CISPA, he offered an example of the misfortune that befell one American business. "One company in particular estimated they lost 20,000 good paying manufacturing jobs for Americans because countries like China stole their intellectual property and illegally competed against them in the marketplace."
Civil liberties advocates argue that the legislation's definition of cybersecurity threats remains overly broad, even after several rounds of amendments. Worse, they fear that CISPA's intelligence sharing mandate can ensnare the private communications and online activities of ordinary citizens with little oversight.
In a statement released shortly after CISPA cleared the House with a 248 to 168 vote, Lee Tien, Electronic Frontier Foundation (EFF) Senior Staff Attorney reiterated his organization's stance on CISPA.
"As the Senate takes up the issue of cybersecurity in the coming weeks, civil liberties will be a central issue. We must do everything within our power to safeguard the privacy rights of individual Internet users and ensure that Congress does not sacrifice those rights in a rush to pass vaguely-worded cybersecurity bills," states Tien.
White House Veto Looms
CISPA has little chance of making into a law if it emerges from the Senate without some big changes.
In a Statement of Administration Policy (PDF) issued a day before CISPA was taken to a vote in the House, the White House said that it fundamentally supported better collaboration between the government and private enterprise in matters of cybersecurity. "The Administration is committed to increasing public-private sharing of information about cybersecurity threats as an essential part of comprehensive legislation to protect the Nation's vital information systems and critical infrastructure."
However, President Obama's policy advisors laid out several sticking points that make the current CISPA legislation a non-starter.
"Without clear legal protections and independent oversight, information sharing legislation will undermine the public's trust in the Government as well as in the Internet by undermining fundamental privacy, confidentiality, civil liberties, and consumer protections," states the administration.
The White House also objects to the legal shield that CISPA extends to traders of cyber threat information. "In addition, H.R. 3523 would inappropriately shield companies from any suits where a company's actions are based on cyber threat information identified, obtained, or shared under this bill, regardless of whether that action otherwise violated Federal criminal law or results in damage or loss of life," it argues.
The administration concludes, "This broad liability protection not only removes a strong incentive to improving cybersecurity, it also potentially undermines our Nation's economic, national security, and public safety interests."