House Intelligence Committee Chairman Rep. Mike Rogers, R-Mich., speaks… (Manuel Balce Centa / AP Photo )
Reporting from Washington — As the Cyber Intelligence Sharing and Protection Act of 2011 nears its time in the congressional spotlight, supporters and detractors alike are fine-tuning their arguments in preparation for another battle over how the Internet will be influenced by federal legislation.
The core objective of CISPA is simple: Opening up greater means for communication between private entities and the federal government on issues of cybersecurity and national security.
“Today the U.S. government protects itself using classified and unclassified threat information that it identifies from attacks on its networks,” a staffer on the Permanent Select Committee on Intelligence said, introducing the legislation on a conference call April 10. “However, the majority of the private sector doesn’t get access to this information because the government has no mechanism today for effectively sharing.”
The points of contention reside within the details of the bill. Rebecca Jeschke, digital rights analyst with the Electronic Frontier Foundation, struck at the most important issue that her organization, and others, have with CISPA, the language of the bill itself.
“The language is so vague that there’s a huge level of interpretation of data that could be shared,” Jeschke said.
Michelle Richardson, a legislative council at the ACLU’s Washington Legislative Office, echoed Jeschke’s remarks.
As it stands now, she said, the bill is “broad enough to go beyond China,” referring to the frequent invocations of Chinese subterfuge and espionage aimed at U.S. private and governmental networks made by its proponents.
The data intended to be shared, titled “cyber threat intelligence” within CISPA, is defined as information that is within the intelligence community’s hold “pertaining to the protection of a system or network from” one of the following.
“Efforts to degrade, disrupt or destroy such system or network … theft or misappropriation of private or government information, intellectual property or personally identifiable information.”
Rep. Dutch Ruppersberger (D-Md.), a co-sponsor of the bill alongside Rep. Mike Rogers (R-Mich.), has sought to address the concerns over the inclusion of intellectual property, which happened to be the contentious focal point of the defunct SOPA legislation.
“I am not talking about .mp3 files or movies or music, I’m talking about billions of dollars that American companies spend on research and development every year,” he said during Tuesday’s conference call.
Facebook, arguably the highest-profile supporter of the bill, given its vast resources of personal information, reiterated its support Friday in a statement released by Joel Kaplan, Facebook’s vice president of public policy.
“The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 in the first place - the additional information it would provide us about specific cyber threats to our systems and users,” he said.
Ruppersberger listed some of those possible threats during the conference call.
“You have the criminal front where people are just trying to steal identities, get into your account and steal your money … we believe that there will be a catastrophic cyberattack if we don’t at least start to put some protections in .. and, lastly, this cyber espionage piece that is absolutely devastating to the future economy of the United States,” he said.
Richardson elaborated on the ACLU’s concerns with CISPA, and why they’ve been adamantly against it since the initial committee markup.
Ideally, Richardson said, there would be a limitation placed in the legislation making it so that the information gathering efforts pertain only to cyberthreats, with Congress setting up an explicit road map to set up which agencies will be granted access to the data obtained from private companies.
“Here it’s a free-for-all” she said, citing that data obtained through CISPA could theoretically end up in the Department of Defense or in the hands of the National Security Agency. Preferably, and this is something that Jeschke agrees with, the Department of Homeland Security, a civilian agency, would be the sole recipient given control of the data.
Otherwise, Richardson said, “It’s allowing them [companies] to go straight to the military.”
A new draft of CISPA, posted by the committee Friday, highlights areas in which the legislation has changed since its inception, and how it has adapted to the criticisms leveled against it. Amendments added are highlighted in green, while those still under consideration are highlighted in yellow.