House revives controversial cybersecurity information-sharing bill, but can CISPA 2.0 address lingering privacy concerns?
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Two members of the House Intelligence Committee Wednesday reintroduced their Cyber Intelligence Sharing and Protection Act (CISPA), a controversial piece of cybersecurity legislation focused on information sharing. But does the bill stand any chance of succeeding, and in the wake of recent cybersecurity moves by the White House, is it even necessary?
CISPA last year passed the House, despite facing strong opposition from civil liberties groups and the Obama administration. But the bill ultimately died in the Senate, which was pursuing its own cybersecurity legislation.
Could CISPA 2.0 succeed? Here are six related facts:
1. Original Bill: All Carrot, No Stick.
The original CISPA, written by Mike Rogers (R-Mich.), the House Intelligence Committee Chairman, together with ranking member C. A. Dutch Ruppersberger (D-Md.), and introduced in November 2011, was designed to facilitate two-way information sharing between intelligence agencies and private businesses. Notably, the bill would have legally protected from prosecution any business that shared information about its customers or employees -- including activity on Facebook and email -- with intelligence agencies. Likewise, intelligence agencies were allowed to collect data from businesses as needed "to protect the national security of the United States."
Nebulous language and fears of unchecked surveillance helped ensure the bill's demise. The White House threatened to veto the bill, largely over related privacy concerns. In addition, the bill would have provided classified data to the private businesses that run the vast majority of the so-called critical infrastructure, but not required the businesses actually do anything with the information.
2. Privacy Questions Remain.
Privacy rights groups last year claimed victory when CISPA failed, and they've vowed to challenge any subsequent efforts to field cybersecurity legislation that doesn't include adequate privacy protections. "CISPA offers broad immunities to companies who choose to share data with government agencies (including the private communications of users) in the name of cybersecurity," said Mark M. Jaycox, a policy analyst and legal and legislative assistant at Electronic Frontier Foundation, in a blog post. "It also creates avenues for companies to share data with any federal agencies, including military intelligence agencies like the National Security Agency."
But Rep. Adam Schiff (D-Calif.), a member of the House Intelligence Committee, this week told The Hill that he's concerned about the shortcomings in the previous bill, both on the privacy and critical infrastructure security front, and plans to address these Thursday when the House Intelligence Committee holds its first cybersecurity hearing of the year. "I do think CISPA needs to be strengthened by protecting personally identifiable information and by including critical infrastructure -- it's a very necessary piece," he said.
3. Executive Order Includes Information-Sharing Provisions.
The reintroduction of CISPA came one day after President Obama signed a White House cybersecurity executive order, which he announced in his State of the Union address. "We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems," said Obama. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."
The executive order touches on national cybersecurity and information sharing as well as related privacy requirements. On the information-sharing front, notably, "it expands the Department of Homeland Security's Enhanced Cybersecurity Services program to provide near real-time sharing of information on cyber threats with critical infrastructure companies and state and local governments," said White House cybersecurity coordinator Michael Daniel in an overview of the executive order.
According to Daniel, the executive order also "directs federal agencies to provide timely notification to companies if we have information indicating that a company is the target or victim of a cyber intrusion," which, notably, the FBI already appears to be in the habit of doing. Finally, the executive order tells the Department of Homeland Security "to expedite the processing of clearances for appropriate state and local government and private sector personnel," he said, to encourage better sharing of classified information.
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.