The Cyber Intelligence Sharing and Protection Act (CISPA) was first introduced in 2011 by Representative Mike Rogers, the chairman of the House Select Committee on Intelligence Committee), and 111 co-sponsors.
Although the House of Representatives originally passed the bill on April 25, 2012, it was later rejected by the US Senate. Since then, it has been reintroduced several times, but Congress has not passed the bill despite amendments made in good faith following criticism of some propositions.
This post will look at the aims of this cybersecurity bill, why it met such opposition, and how it has affected US cybersecurity policy and practice today.
Find out how UpGuard helps businesses increase their data security and privacy >
The Goals of CISPA
CISPA was spurred by the increasing number of cyber attacks on US businesses by foreign entities or sponsored by nation-states. The goal of such cyber attacks is sometimes disruption, but frequently the theft of intellectual property and trade secrets.
The idea of the bill is that it would allow private sector entities — particularly technology and manufacturing firms — to share internet traffic information with the US government. With bi-directional information sharing, the bill aims to facilitate cooperation to help protect networks, prevent cyber attacks, and provide prompt, effective responses to cyber incidents.
The bill states that it aims to facilitate the US government’s cyber threat investigation and to help it secure networks. Under CISPA, the government’s cyber operations centers would have more access to real-time intelligence and actionable cyber threat information.
Barriers to doing so are legal in nature. The Director of National Intelligence developed procedures for sharing information between the intelligence community and the private sector.
However, opponents of the bill, including White House advisors to then-President Barack Obama, said that the bill did not have adequate protections for civil liberties, leading to threats that the President would veto the bill unless it was drastically modified.
Supporters of the bill included:
- AT&T
- The Cellular Telecommunications Industry Association
- Comcast
- IBM
- Intel
- McAfee
- The National Cable & Telecommunications Association
- Oracle
- Technet
- Time Warner Cable
- The US Telecom Association
- Verizon
However, privacy advocates warn that the cybersecurity bill would remove legal liability for firms sharing cybersecurity information with the government. Firms would not be obliged to remove customers’ personally identifiable information (PII) before sharing intelligence.
How CISPA Could Be Used
Cyber threat information refers to any information that could be used to help an organization for cybersecurity purposes. For any cybersecurity threat, cyber threat intelligence can help with:
- Identification
- Assessment
- Monitoring
- Response
CISPA regulations would only allow the federal government to use shared cyber threat information for the following purposes:
- Activities related to cybersecurity
- The protection of individuals at risk of serious bodily harm or death
- The protection of minors from sexual exploitation, child pornography, and other serious threats, including kidnapping and trafficking
- Helping law enforcement in matters of national security
Under CISPA, private sector firms are encouraged to provide cyber intelligence data to the government, but whether they share such information would remain entirely voluntary.
Certain kinds of data are excluded from disclosure. These, regarded as sensitive personal documents, are as follows:
- Book customer lists
- Book sales records
- Educational records
- Firearms sales records
- Library circulation records
- Library patron lists
- Medical records
- Tax return records
The proposed intelligence-sharing is not all one way. The proposed law also amends the National Security Act of 1947 by requiring the Director of National Intelligence to permit the intelligence community to share cyber threat intelligence with the private sector provided they have appropriate security clearances and that the information is only used for a purpose related to cybersecurity.
Several requirements have been added to the bill to protect those about whom information is shared. While some critics say that revisions to the bill do not go far enough, they do attempt to address public and civil liberty group concerns.
Additional requirements for the use of sensitive information acquired and shared due to the bill are as follows:
- Data anonymization
- Minimization of data
- Interdictions on gaining competitive advantage
- Prohibitions on using sensitive information for regulatory reasons
- Exemptions from public disclosure where information is shared with the government
Problems with CISPA
Described by some as a “big brother” legislation or the cyberspying bill, its current wording would allow the bill to ignore some existing computer crime and privacy laws, including those regarding wiretapping, website privacy, and medical privacy.
The Director of National Intelligence, the Department of Homeland Security (DHS), and the Attorney General have collaborated to try to balance CISPA’s ability to provide useful threat intelligence to improve cybersecurity systems and prevent cybersecurity crimes while limiting the impact it could have on civil liberties and individuals’ privacy.
Among those opposing CISPA are:
- A group of 18 House Democrats
- Anonymous
- The American Civil Liberties Union
- The American Library Association
- The Electronic Frontier Foundation
- Free Market Coalition
- Reporters Without Borders
- The Republican Liberty Caucus
- Sunlight Foundation
All of the above have expressed concerns regarding CISPA because it overrules existing federal and state laws, not least of all privacy policies and terms of agreement between businesses and users.
As a result, CISPA would allow these firms to share sensitive information with the government and confidential customer information with anyone and maintain legal immunity. The key here is that it is incredibly difficult to prove that a company did not act in “good faith” and that any information collected was subject to malicious use.
Rendering privacy policies and terms of agreement meaningless is a major eroding of civil liberties. It would mean that major internet companies, including social media platforms like Twitter and Instagram, could break their legal agreements with their customers and subscribers if the right conditions presented themselves, such as a cyber attack.
Although the bill states that the information can only be used to detect and defend against cybersecurity threats, it would nonetheless allow private companies to share personal data with the government and other private entities, impinging on their users’ rights.
Once in favor of the bill, Facebook and Microsoft have since withdrawn their support for CISPA. Furthermore, representatives Nancy Pelosi and Adam Schiff have both been vocal about the bill's lack of privacy protection.
The bill proposes that, under some circumstances and with permission from the contracting entity, cybersecurity firms may share cyber security threat information it acquires with any entity designated by the contracting entity.
Moreover, federal agencies in receipt of cyber threat information must share it with other national security agencies and federal agencies, as appropriate, as well as collaborate with cybersecurity providers and self-protected entities.
Why CISPA Failed
Whether or not CISPA’s co-authors and sponsors support the bill in good faith, aiming to enhance national security, the bill had major flaws.
First, it did not take into account that procedures for intelligence sharing already exist.
Second, it threatened to sacrifice consumer privacy to achieve better cybersecurity.
CISPA also threatened to create a world in which some private entities could enter a privileged inner circle of information-sharing with the government, giving them an advantage over outsiders.
This would also be a world in which the government could ask a private business for personally identifiable information (PII) under the guise of using it for cybersecurity purposes. The company could then provide the requested information, acting in good faith, without anyone requiring any evidence of an actual security risk.
It would appear that the legislators lacked the technical expertise and cybersecurity awareness that might have allowed them to balance the bill more effectively and make it more useful with that all-important accountability.
The Need for Cybersecurity
With ongoing evolutions of the cyber threat landscape, the private sector and the government alike must deal with increasing cyber risks from various sides.
Cybercriminals are more organized than ever. Ransomware-as-a-Service, for example, allows criminals without technical ability to purchase and orchestrate a sophisticated ransomware attack on a chosen entity via the dark web.
While many hackers work in isolation, hacker groups pool their talents and resources to bring down organizations in the private and public sectors, frequently for financial gain, which is the motivation of most cybercriminals.
Especially in the case of hacktivism, however, hackers are intent on causing disruption. A (DDoS)(distributed denial of service) attack, for example, can overwhelm an establishment causing its websites and business systems to shut down.
These organized cybercriminals are also sponsored by nation-states with increasing frequency. Russia has been linked to many cyber attacks on US businesses and critical infrastructure, including some of the biggest data breaches in US history.
A nation-state-sponsored attack can lead to the theft of valuable intellectual property or destabilize the economy by focusing on areas like payment systems. They can also cause massive disruption and public harm by targeting critical infrastructure, including energy, transportation, and critical manufacturing.
However, despite the growing risks from cyber threats, organizations and individuals must consider the ethics of cybersecurity. Privacy advocates have been clear that while it’s essential to protect people from cyber attacks and criminals that pose a risk to safety, such as kidnappers and traffickers, it’s also necessary to protect freedoms and civil liberties.
Private companies can share cyber threat information without CISPA. For example, information regarding attack patterns, vulnerabilities, and known exploits is already shared among cybersecurity firms, private sector businesses, and the government.
The Electronic Communications Privacy Act (ECPA) and the Wiretap Act allow the sharing of PII if required to protect the providers’ rights or property. CISPA would override the privacy enhancements provided by these acts.
How CISPA Has Affected Cybersecurity Policies
Since the failed introduction of CISPA, the discourse regarding internet privacy has grown considerably. CISPA was just an early iteration of cybersecurity policy that paved the way for other policies.
Shortly after the failed passing of CISPA, the Cybersecurity Information Sharing Act (CISA) was passed as federal law in 2015. The opposition criticized CISA similarly, saying that the bill was exactly the same with only minor adjustments. However, the main difference is that the Department of Homeland Security (DHS) would be in charge of information sharing rather than the NSA, as detailed in CISPA.