In case you hadnt noticed, theres a huge outcry going on around the Internet right now regarding CISPA. The Cyber Intelligence Sharing and Protection Act of 2011, which has yet to be debated before the full House, is being called everything from the Son of SOPA to a dangerous invasion of First Amendment rights. In fact, it is neither.
SOPA, the Stop Online Piracy Act, caused furious protests by Internet companies, Web users at large and First Amendment advocates claiming that the proposed legislation would stifle free speech and give law enforcement excessive powers to shut down Websites without judicial review. Public opposition has effectively stalled SOPA in Congress.
Unfortunately it does not appear that the people currently ranting on Reddit and elsewhere have actually read the proposed CISPA legislation. Had they done so, theyd have found that CISPA is in fact focused on national security and the theft of classified and R&D information. Note that the copy of the bill in the link is the marked-up version including amendments under consideration. Changes in markup are in green, and amendments are in yellow.
The current text of CISPA is also online, as are an amendment that would prevent any quid-pro-quo forcing of information sharing and one that adds a reporting requirement. Note that the amendments are written by the sponsors of the bill, so their incorporation into the final draft is certain.
Once youve read through the bill, its clear that this law is intended to allow the intelligence community to share information with private companies that have been attacked or are at risk of being attacked. What this means is that those who should be most worried are the teams of Chinese hackers and other state-sponsored attackers who are waging a constant war against U.S. interests and intellectual property by breaking into computer systems to steal secrets.
These attacks have been happening for some time, and while a few companies have managed to thwart them, as when Lockheed Martin beat off a Chinese attack, the fact is that such attacks persist, and theyre not aimed at just the giants of the defense industry, but also at companies such as Google. And the attacks have been successful.
Aircraft maker Boeing was reportedly attacked, and the information gathered was used by the Chinese government in the development of its own passenger aircraft. Such attacks are relentless and unlike in the U.S. and Western Europe, theyre not just for military advantage. These attacks, while carried out by the military in their respective countries are really as much commercial attacks as they are for military intelligence.
Fourth Amendment Protections Need Clarification in CISPA
Currently, U.S. laws prevent information sharing between the government and private industry. Because of this, companies are unable to get the help they need to prevent being attacked by these state-sponsored hackers and cyber-criminals. This also means that the government is unable to gather the information it needs to seek out, and perhaps neutralize, the attackers. In short, the U.S. is bound by its laws to the point that it is essentially defenseless against cyber-attacks.
Despite all the scary words being bandied about on the chat forums, this proposed law does not give the government free rein to go after people who share movie files or music or even those who run sites that offer copyrighted material for download. The law limits the information sharing to be related to national security and it specifically prohibits the use of the information by regulators or information sharing for any other purpose except for fighting cyber-attacks.
While there has been some concern that the government would create a quid pro quo situation in which companies would be required to turn over information so they could receive help from the intelligence community, that potential hole has been plugged by an amendment written by the bills original author.
Does this mean I think that CISPA is perfect as written? No, I dont. I think some protection against Fourth Amendment violations could be more clearly written into the bill. For example, if the government were to receive personally identifiable information thats currently protected under one of many federal laws, then it probably should require a warrant for that information to be seen or used.
In addition, there needs to be stronger language preventing the sharing of information gathered in the process of fighting cyber-warfare or cyber-crime from being shared with law enforcementunless the information being shared happens to reveal the cyber-criminal. Then the normal rules of criminal investigation procedure should be followed as if evidence of a crime were uncovered during some other government activity.
Currently, theres nothing in CISPA that specifically violates anyones civil rights, unlike the proposals in SOPA where there were clear First Amendment violations. But that doesnt mean that CISPA should protect known or discovered cyber-criminals either. But it should be clear that if such people are discovered, then it should be handled according to standard legal criminal procedures and precedents.
On the other hand, this also shouldnt mean that the legitimate interests of the U.S to protect against outside attacks should be hampered. Right now, the U.S. is effectively hamstrung when it comes to defeating cyber-attacks. That needs to be changed. So instead of mindlessly railing against the law, perhaps some constructive effort in making the law better would be good idea.