A decade after the September 11 attacks, Congress still hasn't effectively addressed cybersecurity, an oversight they seem determined to correct in this election year. Thus Thursday's
rushed passage of the deeply flawed Cyber Information Sharing and Protection Act (CISPA) in the House of Representatives.
It's become the norm for how this nation's government has responded to a new paradigm of national security: ineffectively, with an emphasis on distrust of the citizenry, and heavy-handed, broad stroke measures that do more to restrict civil liberties than to effectively combat national security threats. Not every measure taken reaches the pointless, infuriating, bankrupting destruction of a needless war on a country that posed no threat to us, but most have been about as pointless. Warrantless data collection sucks up trillions of pieces of innocuous data from all of our lives, more data than can be effectively sifted through, more data than is conceivably necessary to protect us from ourselves.
CISPA is the next assault. Couched as a program to protect the country's critical infrastructure (banking systems, electrical grids, water systems, communications networks, transportation facilities), the bill passed by the House absolutely fails to do that, because Republicans steadfastly refuse to make those industries protect themselves. That would be "job-killing" regulation, they say. But, hey, why make your corporate friends contribute to their own protection when you can take more civil liberties away from an uncomplaining public and call the job done?
That's what the House-passed cybersecurity bill does. To recap:
- It is incredibly broadly written to give the government access to anyone's personal information, and for private entities to share that information. An amendment passed Thursday that was couched as an improvement in narrowing the bill actually broadened it. What had been far too loosely lumped as ill-defined "cybersecurity or national security purposes" now says "1) cybersecurity; 2) investigation and prosecution of cybersecurity crimes; 3) protection of individuals from the danger of death or physical injury; 4) protection of minors from physical or psychological harm; and 5) protection of the national security of the United States." Note that "cybersecurity" and "national security" are not defined or limited in any way.
Cybersecurity should mean protecting networks and systems from hacking, malicious code-like viruses and Trojan horses, denial of service attacks and other disruptions. Now we have bodily harm and child exploitation in what is supposed to be a technology bill. Which means it gives the government huge leeway to collect data on citizens—unrelated to cybersecurity—with no regard to the laws in place to protect privacy. That's because:
- CISAP supersedes all other provisions of the law protecting privacy. That quote up there in the image at the top of this post, that's directly from the legislation: "notwithstanding any other provision of law." So the government can start building a case against you for a completely non-cybersecurity related purpose and you have no privacy protections. That information (private emails, browsing history, health care records, or any other information) can be collected by private companies if they think it might be helpful in dealing with a "cyber threat," or even a not "cyber" threat—a threat of bodily harm or child exploitation.
- If a company ends up collecting your information outside of this law (the outward bounds of which are pretty impossible to determine at this point), they have complete civil and criminal blanket immunity built in. They have no incentive not to share everyone's private information, potential threat or no.
- Not only can you not sue, you can't find out what has been collected about you because the bill completely exempts itself from the Freedom of Information Act.
Those are just a few of the issues, for a bill that does what companies can already do, but under the restriction of privacy laws. Tim Lee points out that "network administrators and security researchers at private firms have shared threat information with one another for decades." He also warns:
Theoretically, private companies are free to refuse to share any new information with the government. But the government has a variety of carrots and sticks it can use to induce private firms to share information it wants. Many large companies receive government subsidies, and many also have business before executive branch agencies. So when a future administration asks a private firm to "voluntarily" hand over its customers' private data, it may not be in a position to say no.
That's what passed the House, under the
threat of veto from the White House. Now it's on to the Senate, where Sens. Joe Lieberman (I-CT) and Susan Collins (R-ME) have introduced
S. 2015, The Cybersecurity Act of 2012 and Sen. John McCain (R-AZ) has the competing
S. 1251, The SECURE IT Act of 2012.
Neither of them is good, and both, again, override every existing privacy law, trumping them in the name of poorly defined national security. The McCain bill is worse, structured like CISPA, requiring no regulations for industry to step up its own security, and giving intelligence agencies access to mountains of private data from citizens. But the McCain bill is unlikely to move forward, as Senate leadership, and the White House, back the Lieberman Cybersecurity bill.
Lieberman's Cybersecurity Act gets higher marks from security experts because it, remarkably, actually sets security standards for some companies—those which "would cause mass death" or "major damage to the economy, national security, or daily life" if attacked. But those experts see loopholes in that it leaves out information-technology industry and Internet service providers. That, from a privacy standpoint, is far preferable to the overreach of CISPA.
Lieberman's bill also provides some more privacy protections, requiring that companies sharing cyber threat information make "reasonable efforts" to remove from the information they share personally identifiable information unrelated to the cybersecurity threat. But it still goes too far. The Center for Democracy and Technology note that both bills:
have broadly written provisions that would authorize ISPs and other companies to:
(i) share private communications with the National Security Agency and other federal entities, or with any other agency of the federal government designated by the Department of Homeland Security;
(ii) monitor private communications passing over their networks; and
(iii) employ countermeasures against Internet traffic.
The new authorities would trump existing privacy laws.
Existing privacy laws have been compromised enough. Now the very real threat exists that they will be made completely moot by overly broad legislation that gives the government largely unfettered access to our most private—and irrelevant to national security—information. Like CISPA, the Lieberman Cybyersecurity Act is
far too broad, far too vague and far too dangerous to civil liberties.
There is an alternative: narrow fixes to existing statutes. For example, Jim Dempsey of the Center for Democracy and Technology points out that Congress could "update wiretapping law to make it clear that service providers are allowed to share information about attacks with one another." Those companies, as already mentioned, can already share that information with government. We don't need a new law to achieve either of those goals.
Congress could also set industry standards for a more defensively oriented strategy championed by EFF. Instead of going on offense and turning on the citizenry, further restricting our rights, they could focus on the actual technology and secure U.S. critical infrastructure networks. "Fundamentally," they say, "it's very simple: fewer software vulnerabilities means more security."
Focusing on actual security, and ending the continuing encroachment of our Fourth Amendment protections, should be the direction this nation finally takes, a decade after September 11.