ProPublica

Journalism in the Public Interest

Cancel

Is CISPA SOPA 2.0? We Explain the Cybersecurity Bill

Our rundown on the debate over the latest controversial Internet bill and what CISPA could mean for you.

A computer forensic examiner looks for evidence on hard drives at the Department of Defense Cyber Crime Center in Linthicum, Md., on Aug. 11, 2011. (Cliff Owen/AP Photo)

Update (4/26): An earlier version of this story said a proposed amendment by Rep. Adam Schiff, D-Calif., had helped gain support for CISPA. Schiff’s amendment, which among other things would further define what’s considered a "cyber threat," is no longer scheduled for consideration.

The Cyber Intelligence Sharing and Protection Act, up for debate in the House of Representatives today, has privacy activists, tech companies, security wonks and the Obama administration all jousting about what it means – not only for security but Internet privacy and intellectual property.  Backers expect CISPA to pass, unlike SOPA, the Stop Online Piracy Act that melted down amid controversy earlier this year. 

Here’s a rundown on the debate and what CISPA could mean for Internet users.

What exactly is CISPA?

The act, sponsored Rep. Mike Rogers, R-Mich., and Rep. Dutch Ruppersberger, D-Md., would make it easier for private corporations and U.S. agencies, including military and intelligence, to share information related to “cyber threats.” In theory, this would enable the government and companies to keep up-to-date on security risks and protect themselves more efficiently. CISPA would amend the National Security Act of 1947, which currently contains no reference to cyber security.  Companies wouldn’t be required to share any data. They would just be allowed to do so.

Why should I care?

CISPA could enable companies like Facebook and Twitter, as well as Internet service providers, to share your personal information with the National Security Agency and the CIA, as long as that information is deemed to pertain to a cyber threat or to national security.

How does the bill define “cyber threat”?

The bill itself defines it as information "pertaining to a vulnerability of" a system or network — a definition that opponents have criticized as too broad. The bill gained support after sponsors agreed to allow votes on several amendments they said would make concessions to privacy activists; one aims to narrow the definition of "cyber threat.”

When can data be shared?

Rogers said the amended version of the bill would only enable companies and intelligence agencies to share information related to 1) cyber security purposes; 2) investigation and prosecution of cyber security crimes; 3) protection of individuals from death and bodily harm; 4) child pornography; or 5) protection of the national security of the United States.

Why are privacy activists upset about CISPA?

Privacy activists like the American Civil Liberties Union and the Electronic Frontier Foundation contend CISPA isn’t specific enough about just what constitutes a “cyber threat.” They say it enables Internet companies and service providers to hand over sensitive user information to intelligence agencies without enough oversight from the civilian side of government. Finally, they say it does not explicitly require Internet companies to remove identifying information about users before sharing.  Opponents contend, for instance, that Facebook or Twitter could share user messages with the NSA or FBI without redacting the user’s name or personal details.

CISPA also protects the private sector from liability even if they share private user information, as long as that information is deemed to have been shared for cybersecurity or national security purposes. Even though sharing is voluntary and not required under the law, privacy activists say the legal immunity CISPA provides would make it easy for the government to pressure Internet companies to give up user data.

What kind of information can be shared?

 Private companies and government agencies can share any information that pertains to a “cyber threat” or that would endanger national security. That could include user information, emails, and direct messages. Companies would be allowed to share with each other as well as the government. The government is not allowed to proactively search company-provided information for purposes unrelated to cyber security, but opponents say this would be tough to enforce. The bill does not place any explicit limit on how long that information can be kept. Several proposed amendments would limit the amount and kinds of information that can be shared, but it remains to be seen which — if any — will be adopted.

Is CISPA basically SOPA 2.0?

No, it’s very different.

SOPA was about intellectual property; CISPA is about cyber security, but opponents believe both bills have the potential to trample constitutional rights. The comparisons to SOPA stem from language in an earlier version of CISPA that referenced intellectual property. That wording was removed early on in response to mounting criticism. SOPA would have strengthened copyright laws, barring search engines and other websites from linking to sites that violated intellectual property regulations. That prompted a First Amendment concern from critics that it would give government the power to block websites wholesale, trampling free speech. CISPA’s liability shield, on the other hand, has sparked a concern based on the Fourth Amendment, which protects against unreasonable search and seizure. Opponents contend the law would make it too easy for private companies and the intelligence community to spy on users in the name of cyber security.

Why are some of the tech companies that protested SOPA, like Facebook and Microsoft, now supporting this bill?

CISPA gives Internet companies the ability to share threat information with intelligence agencies and receive information back from them, an ability they say would enable them to deal with cyber threats more effectively. It does not compel them to protect users’ privacy (though a variety of proposed amendments aim to add more stringent privacy protections). Companies could not be held liable for divulging a user’s identity or data to the government if the information relates to a “cyber threat.”

What’s the Obama administration’s take?

The White House is backing a Senate bill proposed by Homeland Security and Governmental Affairs Committee Chairman Sen. Joe Lieberman, I-Conn., and has threatened to veto CISPA. Officials cite a lack of personal privacy protections. They say CISPA would enable military and intelligence agencies to take on a policing role on the internet, which the administration points out is a civilian sphere.

What is CISPA’s path forward in Congress?

A vote is set for Friday. CISPA has accumulated more than 100 cosponsors and will most likely pass the House. “This isn’t about scrambling to meet 218 votes, we are well past that,” co-sponsor Rogers said during a conference call with reporters. But the Senate is a different story — there, it must compete with the Lieberman cyber security bill and one from Sen. John McCain, R-Ariz.

Would CISPA really make us more secure?

It’s unclear.

Some cyber security specialists note that neither CISPA nor other cyber security bills in Congress would compel companies to update software, hire outside specialists or take other measures to preemptively secure themselves against hackers and other threats. CISPA’s backers respond that the bill would forestall a “digital Pearl Harbor,” allowing a freer flow of information for a quicker and more effective response to hackers by both the government and the private sector.

A few points.

First, I also wish we’d put an end to connecting CISPA to SOPA.  SOPA was aimed at shutting down websites accused of infringement without due process.  CISPA is about asking corporate America to spy on its (Internet) customers and report that to the government for “national security.”  One is censorship, the other is surveillance.

(An early version of the bill DID include Intellectual Property infringement as part of cybersecurity, though.)

Second, technically and unfortunately, Obama did not threaten to veto the bill.  He said that his advisors would encourage him to veto it in its current form.  That’s a lot of conditions he can wiggle out of.

Third, CISPA is toothless exactly where it counts most.  What will protect us from an attack is:

- Ban the sale and use of “exploits” (bugs that nobody else knows about that can be used to bypass security).  If you know a way to sneak software onto an iPhone, there are several government customers that’ll happily pay you a quarter-million bucks.  That’s the big problem everything else comes from.

- Make people liable for negligence if they choose not to report a discovered exploit.  If you hide a bug from the software’s author or site management, you’re allowing someone to attack.

- Require companies/developers to patch all exploits within a short but reasonable period of time (sliding scale based on the complexity?) and report the bug and fix to the government.  Every attack you’ve heard about has come from some idiot who couldn’t be bothered to upgrade his server.

- Protect security researchers from prosecution for finding exploits before criminals.  Right now, they receive DCMA (copyright infringement) notices, because they’re defined as trafficking in ways to circumvent protection to copyrighted content.  But if we spook away all the “white hats,” it doesn’t follow that the “black hats” will walk away in solidarity.

- Publish the bug and fix reports regularly, so that the average person can be aware of which software needs an update (or abandonment).

- (Bonus #1) Stop storing confidential government data unencrypted or on computers not owned or managed by the government, especially when those computers eventually get sold on eBay.

- (Bonus #2) Require annual security audits of any software or service with more than some threshold of users, with unabridged publication of the results.  Think about what would happen if someone could infect computers and phones through the “Facebook Like” buttons on web pages.  Wouldn’t it be best if Facebook learned about the problem before a terrorist did, even if it costs them half a million bucks?

That agenda would protect us far better than CISPA (or the sibling bills) ever can.  Encourage good people to find and publicize problems.  Discourage bad people from exploiting problems.  Make the biggest players prove they’re safe.

By contrast, having Twitter report you to the FBI for using a pseudonym (which could qualify as attempting to circumvent security restrictions) won’t protect anybody.  Asking your ISP to tell the CIA you’re downloading a really big file (which might “degrade” service on the network won’t protect anybody, either.  Protecting Google from my lawsuit when they give up my identity, search history, and so forth is an explicit LACK of protection.

The overall core concept of CISPA is good, and it’s what Facebook reacted positively to (with much-deserved bad press for not reading past the title).  The intent is that companies should be encouraged to report serious problems to the government and the government should be allowed to get involved in law enforcement on this end.  This is good.

However, it’s built on a misunderstanding of where attacks come from, how they get fixed, and who the government is ultimately obligated to protect.  It also (very badly and very dangerously) reasons that private entities can be functionally empowered as government authorities (deputizing them, essentially) without having the responsibility to abide by the protections in the Bill of Rights—essentially, asking the companies to spy on us without a warrant so the Feds don’t need to.

John, thanks for your enlightening comments.

Bottom line seems to be: more erosion of our rights to privacy, no appreciable increase in cyber security.

The world needs now unrestricted Boom of Internet services. In Bangladesh without SOPA, PIPA, SISPA etc. wealthy thugs (who are against 3G, 4G etc.) are in control of IT sector. Same is the situation behind scenes in the West.
The best solution is: Set the Internet Free, Let the global Public know whatever each of us doing and get the criminal minded guys worry over own privacy.

hilarious request

April 26, 2012, 11:09 p.m.

I say we all toss the tech and go back to carrier pigeons.  Worked for 10K years.

re: The best solution is: Set the Internet Free, Let the global Public know whatever each of us doing and get the criminal minded guys worry over own privacy.

This comment makes a common assumption that privacy only serves the interest of criminals—often stated as, ” if you have nothing to hide, you have nothing to worry about.”

But this conflicts with the democratic assumption of innocent until proven guilty. Why is this ideal important to democracy? Well, who would like to live under a surveillance state? Would you feel free to express controversial ideas if you were likely to be turned in by your ISP to your government? How likely would you be to organize a protest via twitter against a war, or sign an on-line petition against a government policy you disagree with? Iran and China have already demonstrated how effective internet monitoring can be to control their populations.

Stifling of free speech through surveillance (whether direct or indirect via the private sector)  is anathema to democracy.

The industry is setting themselves up to be displaced.  Every attempt to make the internet the lazy man’s Stasi

http://www.wired.com/politics/security/magazine/16-02/ff_stasi?currentPage=all

is just begging for the proliferation of private networks.  Throw in the fact that the commercial entities that have come to dominate today’s internet have proclaimed themselves the final arbiters of how much privacy is your right, and the likelihood of a competing internet riding the existing hardware and infrastructure only grows.

“We have the technology…we have the capability to make the world’s first…” democratic internet.  (You have to say it in the ponderous tones of the lead-in to the old TV show The Six Million Dollar Man http://www.youtube.com/watch?v=HofoK_QQxGc .)

Internet is a blessing for humanity -which, if can be left unrestritced for atleast a decade, is going to positively change forever many old norms starting from the manipulative Judicial System of the old.
Thank you Mr. Sam for your Wise comment.

Stephanie Palmer

April 29, 2012, 5:22 a.m.

Our constitutional rights have been eroded too much as it is. Who do the sponsors of these bill represent? Not the 99%. They serve merely as a way to control us, not support us.

Are you sure your list is up to date? I heard Microsoft were backing away from their support of CISPA. I wish I remembered the source, but it was a recent article in just the past week. Your letter of support you listed is from last November.

Samantha Edgerley

May 1, 2012, 6:29 p.m.

Isn’t the NSA allowed to operate outside the law now anyway?  And isn’t the NSA sucking up all this data already, to be processed at Bluffdale?

Claire Mooney

May 17, 2012, 1:33 p.m.

I agree with Samantha that the NSA has, and clearly plans to continue to, operate outside of the law. It seems easy to deduce that the Bluffdale center is being built in order to process the sort of influx of information which would be (legally) available from passing a bill like this.

Speaking of operating barely within the law, corporations (as long as they are still recognized by the Supreme Court as having the constitutional rights of people) have a great incentive to support this bill. This bill will make targeted advertising even easier. And if corporations were ever investigated for what, precisely, they were storing and for what reason—well, seeing as corporations have protection from search and seizure (as was established by SC cases in the 70s)...we may never know.

This bill creates problems similar to those from the implementation of CIPA in public schools. Perhaps created with good intentions, the bill enabled a plethora of negative externalities; as ways to sneak around the blocking system on the internet increase exponentially within seconds, the only way for administrators to keep up is to block and intrude excessively.

The truth is, the internet now grows and finds loopholes far more quickly than ways to control it can be managed (though perhaps the Bluffdale plant will try to change that). But for now, blocking systems are sloppy, which allows harmful elements to keep evolving, while peoples’ rights and access are lost.