The USA Needs CISPA

Cyber Intelligence Sharing and Protection Act is not as bad as the Internet community might think, says Wayne Rash

In case you hadn’t noticed, there’s a huge outcry going on around the Internet right now regarding CISPA. The Cyber Intelligence Sharing and Protection Act of 2011, which has yet to be debated before the United States Congress, is being called everything from the “Son of SOPA” to a clear threat to the First Amendment rights. In fact, it is neither.

SOPA, the “Stop Online Piracy Act,” caused furious protests by Internet companies, web users at large and First Amendment advocates claiming that the proposed legislation would stifle free speech and give law enforcement excessive powers to shut down websites without judicial review. Public opposition has effectively stalled SOPA in Congress.

Missing the point

Unfortunately, it does not appear that the people currently ranting on Reddit and elsewhere have actually read the proposed CISPA legislation. Had they done so, they’d have found that CISPA is in fact focused on national security and the theft of classified and R&D information. Note that the copy of the bill in the link is the marked-up version, including amendments under consideration. Changes in markup are in green, and amendments are in yellow.

The current text of CISPA is also online, as are an amendment that would prevent any quid-pro-quo forcing of information sharing and one that adds a reporting requirement. Note that the amendments are written by the sponsors of the bill, so their incorporation into the final draft is certain.

Once you’ve read through the bill, it is clear that this law is intended to allow the intelligence community to share information with private companies that have been attacked or are at risk of being attacked. What this means is that those who should be most worried are the teams of Chinese hackers and other state-sponsored attackers who are waging a constant war against US interests and intellectual property by breaking into computer systems to steal secrets.

These attacks have been happening for some time, and while a few companies have managed to thwart them, as when Lockheed Martin beat off a Chinese attack. The fact is that such attacks persist, and they’re not aimed at just the giants of the defense industry, but also at companies such as Google. And most of these attacks have been successful.

Aircraft maker Boeing was reportedly hacked recently, and the information gathered was used by the Chinese government in the development of its own passenger aircraft. Such attacks are relentless, and unlike in the US and Western Europe, they’re not just for military advantage. These attacks, while carried out by the armed forces in their respective countries, have commercial interests.

Protecting the Fourth Amendment

Currently, US laws prevent information sharing between the government and private industry. Because of this, companies are unable to get the help they need to stop being attacked by the state-sponsored hackers and cyber-criminals. This also means that the government is unable to gather the information it needs to seek out, and perhaps neutralize, the attackers. In short, America is bound by its laws to the point that it is essentially defenseless against cyber-attacks.

Despite all the scary words being bandied about in the chat rooms, this proposed law does not give the government free rein to go after people who share movie files or music, or even those who run sites that offer copyrighted material for download. The law limits the information sharing to be related to national security, and it specifically prohibits the use of the information by regulators or information sharing for any other purpose except for fighting cyber-crime.

While there has been some concern that the government would create a quid pro-quo-situation in which companies would be required to turn over information so they could receive help from the intelligence community, that potential hole has been plugged by an amendment written by the bill’s original author.

Does this mean I think that CISPA is perfect? No, it doesn’t. I think some protection against Fourth Amendment violations could be more clearly written into the bill. For example, if the government were to receive personally identifiable information that’s currently protected under one of many federal laws, then it probably should require a warrant for that information to be seen or used.

In addition, there needs to be stronger language preventing the sharing of information gathered in the process of fighting cyber-crime with the law enforcement agencies — unless the information being shared happens to reveal the cyber-criminal. Then the normal rules of criminal investigation should be followed, as if evidence of a crime was uncovered during some other government activity.

Currently, there’s nothing in CISPA that specifically violates anyone’s civil rights, unlike the proposals in SOPA which included clear First Amendment violations. But that doesn’t mean that CISPA should protect known cyber-criminals either. It should be clear that if such people are discovered, then it should be handled according to standard legal criminal procedures and precedents.

On the other hand, this shouldn’t mean that the legitimate interests of the US to protect itself against outside attacks should be hampered. Right now, the country is effectively hamstrung when it comes to defending against cyber-attacks. That needs to be changed. So instead of mindlessly railing against the new law, perhaps some constructive effort in making the law better would be a better use of everyone’s time.

How well do you know Internet security? Try our quiz and find out!