"Hi, we're from the House of Representatives, and we're here to help you with your nagging cybersecurity issues. To receive the government's top-flight threat intelligence, just record all network-level traffic and send a copy to the NSA."
So goes the pitch for the Cyber Intelligence Sharing and Protection Act (CISPA), sponsored by House Permanent Select Committee on Intelligence chairman Mike Rogers (R-Mich.). The bill was first introduced in late 2011, only to die after facing strong opposition from the White House and civil rights groups, and never taken up in the Senate.
One criticism of CISPA was that it indemnified businesses that shared data with government agencies. The worry was simple: By collecting and sharing so much network-level data, businesses could put sensitive and private information about their employees and customers in the hands of an intelligence agency, which would then have carte blanche to use the information as it saw fit, provided it was for "national security" purposes.
[ What IT priorities should head the White House's list? See 5 Items Should Top Obama's Technology Agenda. ]
Cue CISPA 2.0, introduced in February 2013. "What we came up with, we think, is the right approach. It is the one bill out of everything you've seen on both sides of this great institution of the United States Congress that protects a free and open Internet and allows people to share cyber threat information to protect their clients, their business, their [personally identifiable information]," Rogers told reporters Wednesday, reported The Hill.
Given the previous bill's untimely demise, surely Rogers' comments reflect how the committee learned from its mistakes and included tough new privacy protections in the latest version of CISPA?
Guess again. The House Intelligence Committee, before voting 18-2 last week to send the bill to the House floor -- where it could be voted on this week -- did amend CISPA in a closed-door meeting, but only to add window-dressing privacy protections. For example, instead of allowing government agencies to use collected data for any national security purpose, the bill's revised language now limits that to "cybersecurity purpose."
Minor tweaks to a bill that sparked major privacy concerns don't bespeak a rethink, and the second CISPA is facing a barrage of criticism that -- surprise, surprise -- differs little from before. "We believe the adopted committee amendments reflect a good-faith effort to incorporate some of the Administration's important substantive concerns, but we do not believe these changes have addressed some outstanding fundamental priorities," read a statement released last week by the White House National Security Council (NSC).
"We continue to believe that information-sharing improvements are essential to effective legislation," continues the NSC's statement, which many are reading as a veto threat by President Obama. "But they must include privacy and civil liberties protections, reinforce the roles of civilian and intelligence agencies, and include targeted liability protections."
Civil rights groups have leveled similar charges. "CISPA still permits companies to share sensitive and personal customer information with the government and allows the National Security Agency to collect the Internet records of everyday Americans," said Michelle Richardson, legislative counsel at the American Civil Liberties Union, in an emailed statement. "The bill continues to do so even though the NSA maintains it does not want nor need that power and cybersecurity experts tell lawmakers that sharing personal information will not protect critical infrastructure from intrusion and attack."
To be fair, House Intelligence Committee members Rep. Jan Schakowsky (D-Ill.) and Rep. Adam Schiff (D-Calif.), who both voted against sending CISPA to the floor of the House, first proposed stronger privacy amendments; none were successful. Electronic Frontier Foundation (EFF), a civil liberties group, lauded Schiff's proposal in particular because it would have required "that companies take 'reasonable efforts' to remove unnecessary personal information of users before passing data to the government," according to a blog post by EFF policy analyst Mark M. Jaycox and activism director Rainey Reitman. "While this wouldn't fix everything that's wrong with CISPA, it would do one vital thing: help minimize how much personal information of users actually flowed to the government without a warrant," they said.
Congress arguably wants to "do something" to help the government share threat intelligence information with private businesses. But legislators need to stop fetishizing government-provided threat intelligence and portraying it as the panacea for all information security ills, while overstating the importance of having businesses share network scans with the government.
Until CISPA's backers get their cyber-intelligence-sharing facts straight, they may run roughshod over privacy rights, but they won't meaningfully help businesses strengthen their information security defenses.
A well-defended perimeter is only half the battle in securing the government's IT environments. Agencies must also protect their most valuable data. Also in the new, all-digital Secure The Data Center issue of InformationWeek Government: The White House's gun control efforts are at risk of failure because the Bureau of Alcohol, Tobacco, Firearms and Explosives' outdated Firearms Tracing System is in need of an upgrade. (Free registration required.)