This week, the House of Representatives will vote on several cybersecurity bills, giving rise to the apt moniker “Cyber Week.” Congress is right to act on this very important issue, as up to $400 billion is stolen from U.S. companies in cyber theft and espionage every year. While Congress correctly acknowledges this real threat, it is important that Congress not just act to say that it did something.
H.R. 3523, or the Cybersecurity Information Sharing and Protection Act (CISPA), is a strong cybersecurity bill that the House Permanent Select Committee on Intelligence passed by a bipartisan vote of 17–1. Similar to portions of other bills, CISPA encourages cyberthreat information sharing among the private sector and with the government and is completely voluntary. No company would be obligated to share any information with the federal government and could undertake “appropriate annonymization or minimization” of information. CISPA provides liability protection for information sharers and rejects costly mandates and regulations.
Some have raised concerns regarding CISPA, accusing it of being SOPA II, or worse. This could not be further from the truth. Analysis of the bill shows that CISPA does not allow for any blocking of websites but merely facilitates for the sharing of cyberthreat information. It gives no additional authority to the Department of Defense, the National Security Agency (NSA), or any other “element of intelligence community to control, modify, require or otherwise direct the cybersecurity efforts of a private-sector entity or a component of the Federal Government or a State, local, or tribal government.”
CISPA includes tailored but not overly restrictive definitions of threat and vulnerability information. Chairman Mike Rogers (R–MI) and ranking member Dutch Ruppersberger (D–MD) of the House Intelligence Committee have agreed to new language that would allow the government to use shared cybersecurity information only for a cybersecurity purpose, for a national security purpose, to prevent death or serious bodily harm, or to protect minors from sexual exploitation, kidnapping, and trafficking.
These restrictions represent a compromise between civil liberties advocates and those who don’t want to set up too many artificial barriers, such as those that were partially responsible for intelligence failures before 9/11.
Privacy advocates also voiced concerns that an organization might share personal data with the NSA. CISPA answers these concerns by establishing the Department of Homeland Security as the hub of cybersecurity information, requiring the inspector general for intelligence to make a yearly report on the type and use of shared information. The bill also allows individuals to sue the government for “willfully violating” the restriction of only using information for cyber or national security.
CISPA has deliberately been drafted and revised in such a way as to meet many of the concerns of privacy advocates. Indicative of these efforts, even actively opposed organizations, such as the Center for Democracy and Technology, have recognized the “good faith efforts” made by Rogers and Ruppersberger and will no longer oppose the bill.
CISPA is a sensible bill that represents a successful balancing of security and privacy concerns. Completely voluntary, CISPA harnesses the innovation and creativity of the private sector to make our nation more cyber secure.