Government // Cybersecurity
News
2/14/2013
12:56 PM
Connect Directly
RSS
E-Mail
50%
50%

CISPA Cybersecurity Bill, Reborn: 6 Key Facts

House revives controversial cybersecurity information-sharing bill, but can CISPA 2.0 address lingering privacy concerns?

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
Two members of the House Intelligence Committee Wednesday reintroduced their Cyber Intelligence Sharing and Protection Act (CISPA), a controversial piece of cybersecurity legislation focused on information sharing. But does the bill stand any chance of succeeding, and in the wake of recent cybersecurity moves by the White House, is it even necessary?

CISPA last year passed the House, despite facing strong opposition from civil liberties groups and the Obama administration. But the bill ultimately died in the Senate, which was pursuing its own cybersecurity legislation.

Could CISPA 2.0 succeed? Here are six related facts:

1. Original Bill: All Carrot, No Stick.

The original CISPA, written by Mike Rogers (R-Mich.), the House Intelligence Committee Chairman, together with ranking member C. A. Dutch Ruppersberger (D-Md.), and introduced in November 2011, was designed to facilitate two-way information sharing between intelligence agencies and private businesses. Notably, the bill would have legally protected from prosecution any business that shared information about its customers or employees -- including activity on Facebook and email -- with intelligence agencies. Likewise, intelligence agencies were allowed to collect data from businesses as needed "to protect the national security of the United States."

[ Can you -- and should you -- strike back at attackers? Read Offensive Cybersecurity: Theory And Reality. ]

Nebulous language and fears of unchecked surveillance helped ensure the bill's demise. The White House threatened to veto the bill, largely over related privacy concerns. In addition, the bill would have provided classified data to the private businesses that run the vast majority of the so-called critical infrastructure, but not required the businesses actually do anything with the information.

2. Privacy Questions Remain.

Privacy rights groups last year claimed victory when CISPA failed, and they've vowed to challenge any subsequent efforts to field cybersecurity legislation that doesn't include adequate privacy protections. "CISPA offers broad immunities to companies who choose to share data with government agencies (including the private communications of users) in the name of cybersecurity," said Mark M. Jaycox, a policy analyst and legal and legislative assistant at Electronic Frontier Foundation, in a blog post. "It also creates avenues for companies to share data with any federal agencies, including military intelligence agencies like the National Security Agency."

But Rep. Adam Schiff (D-Calif.), a member of the House Intelligence Committee, this week told The Hill that he's concerned about the shortcomings in the previous bill, both on the privacy and critical infrastructure security front, and plans to address these Thursday when the House Intelligence Committee holds its first cybersecurity hearing of the year. "I do think CISPA needs to be strengthened by protecting personally identifiable information and by including critical infrastructure -- it's a very necessary piece," he said.

3. Executive Order Includes Information-Sharing Provisions.

The reintroduction of CISPA came one day after President Obama signed a White House cybersecurity executive order, which he announced in his State of the Union address. "We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems," said Obama. "We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."

The executive order touches on national cybersecurity and information sharing as well as related privacy requirements. On the information-sharing front, notably, "it expands the Department of Homeland Security's Enhanced Cybersecurity Services program to provide near real-time sharing of information on cyber threats with critical infrastructure companies and state and local governments," said White House cybersecurity coordinator Michael Daniel in an overview of the executive order.

According to Daniel, the executive order also "directs federal agencies to provide timely notification to companies if we have information indicating that a company is the target or victim of a cyber intrusion," which, notably, the FBI already appears to be in the habit of doing. Finally, the executive order tells the Department of Homeland Security "to expedite the processing of clearances for appropriate state and local government and private sector personnel," he said, to encourage better sharing of classified information.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 20, 2014
CIOs need people who know the ins and outs of cloud software stacks and security, and, most of all, can break through cultural resistance.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.