The art of passing a law in Congress is easily summarized by the old proverb, “If at first you don’t succeed, try, try, try again.” In the case of the Cyber Intelligence Sharing and Protection Act (CISPA), this adage seems especially apt. Over a year has passed since 100,000 websites (including Wikipedia, Reddit, and WordPress) participated in raising awareness about two other bills – the Stop Online Privacy Act and the Protect Intellectual Property Act. Both purported to protect intellectual property, but also restricted freedom of speech and the use of other media in ways that had been traditionally accepted. While CISPA is a far cry from those two bills, the controversy surrounding its recent passage is proving to be just as troublesome.
That CISPA has survived so far is a testament to its 112 sponsors, led by Representative Michael Rogers (R-MI). Last April, CISPA passed in the House with a bevy of support from both sides of the aisle, but was ultimately doomed to failure as the Senate refused to vote on the bill. After gutting the Act of its most controversial language,CISPA passed in the House again just two weeks ago. While it is yet to be seen whether the Senate will act on this new incarnation of CISPA, all indications are that they won’t give it the time of day, and the White House has already threatened to veto should it land on President Obama’s desk.
With CISPA making its way to the floor of the House, Rogers and another co-sponsor, Representative Dutch Ruppersberger (D-MD), began using the lessons they had learned from the bill’s failure last year. Instead of allowing CISPA to become the poster child for the attack on internet speech and privacy, the Congressmen decided to use a series of amendments to remove the most controversial provisions. Washington D.C. attorney Kristen Eichensehr has more on those amendments on Covington & Burling‘s blog, Inside Privacy:
“CISPA passed the House last April, despite opposition by privacy groups and a veto threat by the White House. Congressmen Rogers and Ruppersberger intend to use amendments to alleviate concerns that derailed the bill last year. Specifically, reports (here and here) indicate that amendments will:
- Eliminate a provision that would have allowed government agencies to use shared cybersecurity information for “national security purposes”;
- Allow private companies to use cybersecurity information they receive from the government only for cybersecurity purposes;
- Require the government to remove personally identifiable information from information shared pursuant to the Act; and
- Clarify that CISPA does not authorize hacking in retaliation for cyber theft, as some had alleged.”
These concessions, while significant, were not enough to protect CISPA from attacks by the ACLU, EFF, and other organizations whose mission is to protect privacy and civil liberties.
While privacy is the focal point of the arguments against CISPA, the bill was mainly designed to help corporations and government agencies establish avenues of communication and information sharing. The aim being to aid in the protection of sensitive information. Sharon Kim Schiavetti lays out the goal of CISPA on Kelley Dry & Warren’s Ad Law Access:
“In pertinent part, the legislation would allow the federal government to share classified cyber threat intelligence with the private sector and would enable private sector entities to share cyber threat information with one another and with the federal government on a voluntary basis. The bill would limit information sharing of “cyber threat information” for certain enumerated purposes, including the investigation and prosecution of cybersecurity crimes and the protection of individuals from danger of death or serious physical injury.
Under the legislation, the Director of National Intelligence would be responsible for establishing procedures to enable the intelligence community to share classified cyber threat intelligence with private sector entities. The policies and procedures for the receipt, retention, use, and disclosure of cyber threat information shared with the federal government must be crafted in a manner that “minimize[s] the impact on privacy and civil liberties.””
In a vacuum, the goal to help corporations protect information from hackers and cybertheives seems like something we should all be working towards. Identity theft is a growing problem, hackers are more sophisticated than ever before, and data breaches are increasingly common. Protecting social security numbers, credit card information, and other sensitive data may require tactics that infringe on online liberties.
The slippery slope that we’re currently climbing up is one that has been debated before offline, but is relatively new to the internet. It’s impossible to say how the rest of the LexBlog Network views these arguments, but one member has clearly taken a side. Stewart Baker, former Assistant Secretary for Policy at the Department of Homeland Security (where he was responsible for cybersecurity policy), has time and time again come out in support of strengthening our protections against malicious attackers. Here’s his take on one of the amendments to CISPA on the Steptoe Cyberblog:
“In response to some of the privacy criticisms of the Cyber Intelligence Sharing and Protection Act (CISPA), the House Intelligence Committee is proposing amendments to the bill. Politico’s Tony Romm reports on some of the likely amendments:
Still another amendment specifies clearly that CISPA won’t allow companies to “hack back” their hackers in pursuit of stolen trade secrets…
Really? A government that can’t protect us is debating new measures to make sure we can’t protect ourselves?
It does sound somewhat familiar…”
And while there is certainly merit to the argument that hacking the hackers is a logical step, the White House remained concerned about some of the language in the bill. After CISPA passed by a vote of 248-168, the Obama administration came out strongly against it, threatening to veto, even in the face of veto-proof margins in the House. The chief concerns appear to be with respect to individual privacy, but as the lawyers at Hogan Lovell pointed out on the firm’s Chronicle of Data Protection, the administration didn’t rule out an approach to strengthen private cybersecurity as part of a larger plan of action:
“And the White House noted its view that any information-sharing provision should be part of a broader legislative action on cybersecurity, including “legislation that: (1) strengthens the Nation’s critical infrastructure’s cybersecurity by promoting the establishment and adoption of standards for critical infrastructure; (2) updates laws guiding Federal agency network security; (3) gives law enforcement the tools to fight crime in the digital age; and (4) creates a National Data Breach Reporting requirement.””
Fortunately or otherwise, it appears CISPA is not long for this world as word from several Senate committees is that Senators aren’t even willing to give the bill a once-over. As Chris O’Brien reports on the Los Angeles Times:
“Citing sources on various committees, several organizations reported late last week that the Senate would not even give the bill a look. While the Senate may introduce a different information-sharing bill at some point, it appears the House version is DOA.
“I think it’s dead for now,” Michelle Richardson, legislative counsel with the ACLU, told U.S. News & World Report. “CISPA is too controversial, it’s too expansive, it’s just not the same sort of program contemplated by the Senate last year. We’re pleased to hear the Senate will probably pick up where it left off last year.””
So with CISPA stalling out in the Senate for a second straight year, it looks like the only path forward is to “try, try, try again.”
To read more legal analysis on CISPA from lawyers around the country, be sure to check out LXBN’s page on the subject here.
Photo Credit: wallyg, Flickr.com