By Jason Koebler
Stop me if you’ve heard this one before: CISPA, a controversial, privacy-threatening cybersecurity bill, is back, again, again, again, again.
The version of the Cybersecurity Information Sharing and Protection Act introduced yesterday in the House of Representatives (embedded below) is identical to the civil liberties-killing version the House passed in 2013, but the political situation is not, which isn’t good news for opponents of the bill or anyone who values their privacy online.
It’s not really a surprise that, after the Sony Hack, lawmakers would again try again to push through what has become one of the most controversial pieces of internet legislation ever proposed. What’s scary, though, is that this time it might work.
CISPA passed a Republican-controlled House back in April of 2013, but it was allowed to die without a vote in the Democratically-controlled Senate. Let’s take a quick look at what the bill is, what it’s not, and what’s changed since 2013.
At its heart, CISPA is a bill designed to help companies (like Sony) fight cybercrime and hackers. To do this, the bill allows the federal government to pass specific, classified information about would-be hackers and other attacks directly to companies. That, in and of itself, is not necessarily a bad thing.
The very bad thing here is that the bill also “allows” companies to pass information that it gleans about “cyber threats” to the federal government, meaning information about its users. A “cyber threat” is classified extremely broadly, meaning that someone who sends a spam email (even if they were hacked or phished themselves) could have their information sent not only to the federal government, but to state and local law enforcement, as well.
Finally, there is company liability protection built into the bill, meaning that if, say, Facebook were to wrongly send your information to the government, the company cannot be held liable.
“CISPA would encourage the open sharing of personal data with nearly no privacy protections—a profound abuse of users’ rights,” Drew Mitnick, a lawyer with Access, a civil liberties organization, told me. “It would create yet another surveillance regime, giving the NSA new sources of user data, at a time when the U.S. is considering the privacy impact of existing surveillance powers. This bill should be a non-starter.”
Why did CISPA die in 2013?
CISPA died partly because many, many civil liberties organizations pointed out that it was a terribly broad and gave expansive powers to the government to spy. That didn’t matter in the Republican-controlled house, which passed the bill by a count of 288-127. But President Obama threatened to veto the bill, noting its distinct lack of privacy protections.
Then-Senator Jay Rockefeller, who ran the Senate’s Committee on Commerce, Science, and Transportation (where the Senate bill was referred to in 2013) decided that the privacy failures were too much to overcome and shelved the bill. The ACLU called it “too controversial, [and] too expansive” for the Senate to consider.
Why is it back?
The Sony hack, of course. Dutch Ruppersberger, a Maryland Democrat who co-sponsored the bill back in 2013, said in an emailed statement that “we must stop dealing with cyber attacks after the fact.
“Most recently, Sony was hit by a severe cyber attack by North Korea—the first destructive attack we’ve seen yet—and it cost the company millions of dollars,” he added.
This, of course, was expected. Cybersecurity expert Peter W. Singer told me that the hack would “will be both used and misused in everything from legislation to cybersecurity sales pitches.”
And, here we are.
So what’s different now, besides the whole Sony thing?
Well, for one, Rockefeller just retired. For two, Republicans control the Senate now. Though Ruppersberger is a Democrat, the legislation appears to have much more support among Republicans. Rep. Mike Rogers, who co-sponsored the old bill, is also gone, but Ruppersberger appears more than happy to carry the torch for him. Third, it’s not clear that Obama is still willing to veto CISPA. After the Sony hack, the president said that he wanted Congress to work on “stronger cybersecurity laws that allow for information sharing across private sector platforms as well as the public sector.”
That bill could potentially be CISPA.
Finally, it’s not even clear that Democrats still oppose an information sharing cybersecurity law. The greatest CISPA-like threat in play last year was called CISA, which was a very similar bill introduced in the Senate by Democrat Dianne Feinstein. That bill was never voted on because it had similar privacy problems, but it seems as though the tide is turning on both sides of the aisle on this issue.
Would having a law like CISPA on the books have prevented the Sony hack?
Almost definitely not, according to several civil liberty groups. We’re not really sure if North Korea hacked Sony, and there has been some very convincing evidence that the hackers needed someone on the inside, perhaps a disgruntled former employee, to execute a breach of this size.
An information sharing bill, Amie Stepanovich, a lawyer with Access told me, would have done nothing to stop a current or former employee from perpetrating such a hack.
The Electronic Frontier Foundation also noted that CISPA would not have prevented the Sony hack, because most devastating hacks on companies happen due to lapses in cybersecurity 101 from its employees, not because of some well-coordinated outside hack that has some sort of digital paper trail.
“Companies must persistently educate end users since it’s well known that many security breaches are due to uneducated employees downloading malware,” the EFF wrote. “Hackers at JP Morgan obtained inside access due to an un-updated server.”
More information from the government, even about specific threats, isn’t going to help much when passwords are stored in unencrypted Excel spreadsheets called ” Master_Password_Sheet” and Social Security information is stored in much the same way.
Sony made a horrible mistake, and now it appears as though we might all have to pay for it.
HR234 – CISPA