The House started considering the controversial Cyber Intelligence Sharing and Protection Act of 2013 (CISPA) on Wednesday and is expected to vote today — just two days since the White House threatened to veto the bill after it passed out of the House Intelligence Committee by an 18-2 vote in a closed session last week. Now a passionate policy debate is taking place about the importance of protecting civil liberties while solving a very real problem: How to allow government to provide threat intelligence information to victims of cyber attacks.
CISPA was reintroduced in February to immediate backlash from civil liberties groups, with the petition site cispaisback.org warning “the bill that would end our online privacy — is back in Congress despite public outrage and warnings from experts.” Only Reps. Jan Schakowsky (D-IL) and Adam Schiff (D-CA) voted against the proposal in committee citing the same privacy concerns and issues related to maintaining civilian control over private sector data that led the White House kill a similar proposal after it passed the House in 2012 with a veto threat much like the one currently employed.
By most assessments, privacy protections and regulatory definitions in CISPA have some gaping holes — even many security experts agree. And given the track record of government transparency surrounding surveillance tech, privacy and civil liberty advocates are understandably suspicious. The relationship between the civil liberties community, government, and telecommunications companies remains tainted by the Bush-era National Security Agency warrantless wiretapping program which led to legislation giving retroactive immunity to companies that cooperated. Clapper v. Amnesty, a case questioning the constitutionality of the wiretaps, was dismissed earlier this year due to lack of proper standing — leaving the question of their legality unresolved. So when faced with a broadly written law that could involve the NSA, it was no surprise that progressive and libertarian groups alike came out in opposition to CISPA after it was reintroduced this legislative cycle. And it looks like their concerns have have not been mitigated.
But underneath the problems of scope and privacy, the goal of CISPA is to create a functional structure for coordinating information about cybersecurity vulnerabilities and threats so intelligence can be shared. This would allow the government to share information about the tactics of adversaries with victims, or send up a warning flare about an emerging threat. Consider the report released earlier this year by cybersecurity firm Mandiant about a group of hackers engaging in corporate espionage likely affiliated with the Chinese military: It came along with a cache of threat intelligence indicators that could help identify other attacks by the group in the future, such as domain names, IP addresses, encryption certificates, detailed descriptions of over 40 families of malware they use.
That’s the kind of information that can help security professionals guard against and identify their adversaries. Right now, not only do companies feel limited from sharing specific threat data with government, government doesn’t have the ability to share what it knows with private entities under an immediate threat — effectively limiting security across the board. From the transparency angle, this fits into a larger narrative of the current system for information classification being broken. It’s long been noted that many types of information that do not need to be classified are in fact classified, and while the Obama administration targeted the structure of over-classification in an earlier executive order it hasn’t had the most successful track record in following through.
So industry groups are keen for a solution that would allow them the freedom to voluntarily share threat intelligence related to a cyber attack or vulnerability with government and use collective knowledge to limit the scope and frequency of breaches. That explains why IBM sent nearly two hundred executives to the Hill in support of CISPA this week and TechNet, an organization representing major tech CEOs including leaders from Google and Yahoo, sent a letter supporting the work of the committee on the bill, but acknowledging there was more work to be done on privacy protections.
And while the rallying cry from opposition groups largely calls for stopping the bill, they also recognize that information sharing of threat intelligence is an idea that has some merit. Some even produced outlines for fixing the proposal: The Center for Democracy and Technology not only identified the problems and suggested fixes, they also prepared a redlined copy of the bill where fixes could be implemented. Some tech and cybersecurity leaders also raised questions over how to fix the bill. The TechNet letter supporting the bill specifically asks for further discussion on privacy issues, while Mandiant Chief Security Officer Richard Bejtlich tweeted about the specific areas for improvement in CISPA.
Some chose to gloss over the legitimate concerns about privacy and scope of data that will be shared under CISPA, as Rep. Mike Pompeo (R-KS) did in a blog post for The Hill. Rep. Mike Rogers (R-MI) belittled opposition as “14-year-old tweeters” in basements. But the reason there is so much interest in compromise on CISPA from stakeholders is that there is a problem that a well-defined threat information sharing proposal with appropriate privacy safeguards could help fix. There’s also precedent for the creation of information sharing structures for cybersecurity threat intelligence that take appropriate precautions, like the President’s executive order on information sharing for critical infrastructure. With a presidential veto threat already made and a committed opposition in place, CISPA may no longer be viable option for those stakeholders to pursue, but it’s unlikely that will change their desire for a functional information sharing system.