In April 2013, the U.S. House of Representatives passed the controversial Cyber Intelligence Sharing and Protection Act (CISPA), a bill that would allow government to access data regarding Internet traffic from technology and manufacturing companies. Although CISPA is designed to help the government maintain cyber security and investigate cyberattacks, opponents claim that the law could override privacy laws and allow companies to hand over data regarding individual users despite their promises not to do so.
The version of CISPA that was passed in April is actually the second incarnation of the law. The first version was passed in April 2012, but it was voted down in the Senate under the threat of a presidential veto, spurred on by concerns about how the bill would impact individual privacy. And some experts predict that the most recent version of the bill will meet a similar fate, as lawmakers have yet to find a way to adequately address the privacy concerns while still allowing the bill to have the intended affect.
Still, there is a chance that CISPA — or another bill like it — could pass, and that holds significant implications for anyone who creates, uses or manages data.
Covering New Ground
Many experts who oppose CISPA liken it to the controversial Stop Online Piracy Act (SOPA) that was struck down in early 2012. SOPA targeted online counterfeiters trafficking in stolen or knock-off goods; websites that were suspected of selling the goods would be taken offline under the terms of the act. Public outcry at the possibility of legitimate sites being pulled offline led lawmakers to kill the bill — and it’s that same fear of innocent people being dragged into complex investigations or having their personal information compromised that’s causing concern about CISPA.
In theory, CISPA would prevent massive cyberattacks from taking shape. For example, if data analyzed by the government indicated that a large site like Facebook was the target of an attack, then the feds could warn the site operators and stop the attack. In return, Facebook could provide data to the government that could potentially halt a devastating cyberattack against another entity.
Because the results of a cyberattack can be so devastating — a single malware code could wreak havoc on utility or military systems, or compromise sensitive data about millions of individuals — representatives argue that it’s imperative that investigators have access to as much data as possible in order to thwart attacks. And with the increasing prevalence of targeted attacks against U.S. businesses and government, many companies are willing to do whatever it takes to protect their data.
On the other hand, because CISPA casts a wide net to catch cybercriminals, including collecting data from cloud service providers, it’s inevitable that information about individuals will be shared, and that has privacy advocates concerned. They argue that giving the government access to personal information about individuals and their Internet usage kicks off a slippery slope toward the feds being able to use to information for any purpose — not to mention the vulnerabilities inherent in giving such information to private industries.
The New CISPA
While the chances of the new CISPA even being considered by the Senate are slim, lawmakers made significant amendments to the bill in order to increase the chances of it being passed.
Among the changes proposed include:
- “Minimization” of the personal data that is shared. Under the law, the government would be required to reduce the amount of personal information that is contained within the data being analyzed. Although the law allows for any type of data to be collected, including personal e-mails and text messages, security experts are only looking for patterns of behavior that indicate the propagation of malware; still, CISPA places safeguards on the data to ensure a level of privacy.
- Companies that receive data for analysis, such as cybersecurity firms, can only use the data for investigation. They cannot use the data for sales purposes.
- The bill does not authorize hacking. Data must be shared legally.
Despite these and other changes, opponents still question whether CISPA is a valuable addition to the fight against cybercrime or simply another means for the government and private businesses to gather more data about people.
So even though CISPA in its current form is probably not going to become law, there is no denying that cybercrime is a significant issue, and poses a substantial threat to the U.S. and its interests. Expect to see more proposals like CISPA in the future as security experts and the government look for ways to address the issue and keep our data — and our country — safe.
About the Author: Christopher Budd is a seasoned veteran in the areas of online security, privacy and communications. Combining a full career in technical engineering with PR and marketing, Christopher has worked to bridge the gap between “geekspeak” and plain English, to make awful news just bad and help people realistically understand threats so they can protect themselves online. Christopher is a 10-year veteran of Microsoft’s Security Response Center, has worked as an independent consultant and now works for Trend Micro.