Update, July 8, 2014: On Tuesday, Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.) and Vice Chairman Saxby Chambliss (R-Ga.) announced committee approval of the Cybersecurity Information Sharing Act (CISA). The vote was 12-3.
Update, April 30, 2014: On Wednesday, Senate Intelligence Committee Chairman Dianne Feinstein (D-Calif.) and Vice Chairman Saxby Chambliss (R-Ga.) announced that they have drafted legislation referred to as a “cybersecurity information sharing bill.” According to the senators, the bill, “allows companies to monitor their computer networks for cyber attacks, promotes sharing of cyber threat information and provides liability protection for companies who share that information.” But privacy advocates say the bill—whose language is not yet finalized—has many of the same problems as the earlier versions of the Cyber Intelligence Sharing and Protection Act (CISPA.)
“This is definitely a step back,” Gabe Rottman, legislative counsel and policy adviser for the American Civil Liberties Union, told the Washington Post. “The problem is the definitions of what can be shared and who it can be shared with are too broad. In this draft, companies can share data with the military and the NSA. Given the past revelations, I think it’s important to keep this information in civilian hands.” Tech Dirt notes, “It appears as though no one involved has learned anything from CISPA’s two troubled trips through the House, not to mention the new concerns prompted by leaked NSA documents.”
When Edward Snowden dropped his bombshell about PRISM, the NSA’s vast Internet spying program, the House had recently passed a bill called the Cyber Intelligence Sharing and Protection Act (CISPA). Widely criticized by privacy advocates, CISPA aimed to beef up US cybersecurity by giving tech companies the legal freedom to share even more cyber information with the US government—including the content of Americans’ emails, with personal information intact. CISPA supporters, among them big US companies such as Verizon and Comcast, spent 140 times more money on lobbying for the bill than its opponents, according to the Sunlight Foundation. But after Snowden’s leaks, public panic over how and why the government uses personal information effectively killed the bill. Now that the dust has settled a bit, NSA director Keith Alexander is publicly asking for the legislation to be re-introduced, and two senators confirmed that they are drafting a new Senate version.
“I am working with Senator Saxby Chambliss (R-Ga.) on bipartisan legislation to facilitate the sharing of cyber related information among companies and with the government and to provide protection from liability,” Sen. Dianne Feinstein (D-Calif.) told Mother Jones in a statement. “The legislation will…still maintain necessary privacy protections.” NSA’s Alexander threw his weight behind this kind of bill in September: “If we can’t work with industry, if we can’t share information with them, we can’t stop [cyber attacks]” he told the Washington Post.
Privacy advocates aren’t happy to see that the “zombie bill” is returning—it’s been killed and resurrected twice since it was originally introduced by Rep. Mike Rogers (R-Mich.) in 2011. “This summer has confirmed that any information that goes into the NSA will be shrouded by secrecy and there will be no oversight,” says Michelle Richardson, a legislative counsel with the ACLU. “Since this is a domestic issue, the NSA is more likely to get involved…and companies haven’t provided concrete examples that they even need this legislation, especially when it’s this broad.”
The way CISPA was written earlier this year, it would have given US companies the legal protection to share cyberattack incidents with the government, which could then help companies better defend sensitive information, such as the design for the F-35 Joint Strike Fighter and US electrical grids. The way the law stands now, cyber attack information is only supposed to be shared in emergencies, otherwise it can be a violation of laws like the Electronic Communications Privacy Act (ECPA) and the Wiretap Act. Tech companies, including Google and Facebook, have quietly supported CISPA in the past—possibly because, according to Snowden, they were already being forced to share user information with the US government, anyway, and CISPA would protect them from lawsuits.
Privacy advocates and many Senate Democrats took issue with the bill’s broad language, which set no limits on what the government could do with the personal information it obtained as long as it fell under the national security umbrella. “CISPA would’ve allowed NSA to get its hands on even more private and sensitive data,” says Mark Jaycox, a policy analyst for the Electronic Frontier Foundation, noting that he hasn’t seen the latest draft of the bill so can’t comment on it.
Feinstein’s office told Mother Jones that the new version of the bill will have “tight limitation on what kind of information is shared” and “the goal is to allow and encourage the sharing only of information related to identifying and protecting against cyber threats, and not the communications and commerce of Americans.” She also said that she believes “the lead responsibility within the federal government should be with a civilian department or agency”—not the Department of Defense.
However, Brian Weiss, a spokesman for Feinstein, could not confirm that two of the biggest privacy problems raised in the House version of CISPA—that personally identifiable information would be shared and the NSA could get it—had been written out of the new bill. There is “no final language” yet, he said. Richardson from the ACLU notes that “some of the Republican’s proposals have been very anti-privacy, and there’s been a pretty big gap between the Senate Republican approach and [Feinstein’s.]” (Chambliss’s office confirmed they were working on the bill, but did not provide any additional details.)
Even if the bill makes it to the floor, it could still be a tough sell—Obama threatened to veto the House version of CISPA earlier this year and almost 400 websites staged an online blackout in protest in April. “I think it will be very difficult to move information-sharing legislation forward given the events of the last several months,” says Richard Bejtlich, the chief security officer at Mandiant, a company that offers cybersecurity services for Fortune 100 companies. He also notes that his firm’s big report on China’s secret-hacking unit was effective without listing personally identifiable information.
“It would have been complicated to pass a bill before the leak and nows it’s even harder,” Richardson agrees. “That being said, I think we need to keep a very careful eye on it to make sure a deal isn’t struck in the Senate. Sometimes these things suddenly start moving.”