The House passed the Cyber Intelligence Sharing and Protection Act (CISPA), a bill that purports to improve U.S. cybersecurity. In fact, the bill does little to protect us but rather a lot to destroy the privacy of American communications.
The bill allows private entities to share "cyber threat" information with the government without liability. Written that way, CISPA doesn't sound so bad. The catch is in the definition of cyber threat information. This includes any information on "(i) a vulnerability of a system or network of a government or private entity; (ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network; (iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or (iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity."
That's an incredibly broad net. It's big enough to include anyone sending copyrighted information, regardless of whether that use is legal. It's large enough to catch anyone using a system that might slow network traffic, even when the system is legal and being used for legitimate purposes (such as when NASA uses BitTorrent to ship satellite data or a games company does the same for updates to its software; there are lots of legitimate uses for file-sharing software).
So why is industry supporting the bill? It's the "Get Out of Jail Free" card. There's no liability on the companies for sharing private data with the government. If a company gives the government emails that it thinks contains a virus and, in the process, mistakenly exposes a private citizen's private data, CISPA provides a free pass. No violation of HIPAA -- or any other privacy law.
What will the bill accomplish? It will give the National Security Agency loads of private data about Americans, who they're communicating with, when, how often, what they're saying. In some cases, the cyber threat information can be used for the investigation and prosecution of certain crimes, no warrant needed.
The bottom line though is will CISPA help solve the nation's cybersecurity problems? That's where the bill's premise is highly questionable. CISPA allows sharing of cybersecurity threats in an effort to head off attacks as they're occurring. But there's little evidence that such "real-time" sharing can really work. Efforts with the EINSTEIN program for anomaly detection (information sharing to detect odd behavior and protect against it) hasn't netted much; indeed there are reasons to expect that type of response can't be effective at large-scale. The hidden fact is that CISPA completely avoids the issue of protecting critical infrastructure. The bill's authors said the reason for CISPA not covering critical infrastructure was "that [was] outside of our jurisdiction."
With more and more private data residing in third-party providers -- think Gmail and Facebook -- CISPA's refrain might be stated as "bye-bye privacy, bye-bye freedom, bye-bye innocent until proven guilty." This bill creates a privacy invasion that makes the warrantless wiretapping of the Bush administration look like a minor break-in.
In 1789, when this nation was young and not very powerful, we passed the First Amendment, protecting the right to publish and implicitly the right to read anonymously , and the Fourth Amendment, which protects against unreasonable search and seizure. Those amendments have protected Americans and their state for over two centuries. In his inaugural address, Franklin Roosevelt said, "The only thing we have to fear is fear itself -- nameless, unreasoning, unjustified terror which paralyzes needed efforts to convert retreat into advance." The Obama administration has said it will veto the bill -- as well it should. We need cybersecurity protections, but CISPA is completely the wrong way to go about accomplishing that.
NOTE: Two errors have been corrected from the original posting, which gave a link to the bill brought to the House floor and quoted from that bill, rather than correctly linking to and quoting from the amended bill as passed by the House. These errors resulted from using the most recent version of the bill on thomas.loc.gov as posted on April 29.