To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.
Reintroduced in theHouseas H.R. 234 byDutch Ruppersberger (D-MD) on January 8, 2015 and has since been referred to two additional committees as of February 2, 2015.
The Cyber Intelligence Sharing and Protection Act (CISPAH.R. 3523 (112th Congress), H.R. 624 (113th Congress), H.R. 234 (114th Congress)) was a proposed law in the United States which would allow for the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The stated aim of the bill is to help the U.S. government investigate cyber threats and ensure the security of networks against cyberattacks.[1]
The legislation was introduced on November 30, 2011, by Representative Michael Rogers (R-MI) and 111 co-sponsors.[2][3] It was passed in the House of Representatives on April 26, 2012, but was not passed by the U.S. Senate.[4] President Barack Obama's advisers have argued that the bill lacks confidentiality and civil liberties safeguards, and the White House said he would veto it.[5]
In January 2015, the House reintroduced the bill again.[10] The bill has been referred to the Committee on Intelligence, and as of February 2, 2015, to the Subcommittee on Crime, Terrorism, Homeland Security, and Investigations and Subcommittee on Constitution and Civil Justice to see if it will come to the House for a vote. In December 2015 a version of CISPA was hidden in the total federal budget.
Some critics saw wording included in CISPA, as a second attempt to protect intellectual property after the Stop Online Piracy Act was taken off the table by Congress after it met opposition.[14]Intellectual property theft was initially listed in the bill, as a possible cause for sharing Web traffic information with the government, though it was removed in subsequent drafts.[15]
Content
CISPA is an amendment to the National Security Act of 1947, which does not currently contain provisions pertaining to cybercrime. It adds provisions to the Act describing cyber threat intelligence as "information in possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from either "efforts to degrade, disrupt, or destroy such system or network".[16] In addition, CISPA requires the Director of National Intelligence to establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities and encourage the sharing of such intelligence.[17][18]
In an April 16, 2012, press release, the House of Representatives Permanent Select Committee on Intelligence announced the approval of several amendments to CISPA, including the addition of a new provision "to permit federal lawsuits against the government for any violation of restrictions placed on the government's use of voluntarily shared information, including the important privacy and civil liberties protections contained in the bill", the inclusion of an anti-tasking provision to "explicitly prohibits the government from conditioning its sharing of cyber threat intelligence on the sharing of private sector information with the government", and the prevention of the government from using the information for "any other lawful purpose unless the government already has a significant cybersecurity or national security purpose in using the information". Relevant provisions were also clarified to "focus on the fact that the bill is designed to protect against unauthorized access to networks or systems, including unauthorized access aimed at stealing private or government information".[19] In addition, already collected cyberthreat data can also be used to investigate "the imminent threat of bodily harm to an individual" or "the exploitation of a minor," bringing the bill into line with existing law codified by the Patriot Act and the PROTECT Our Children Act[20] in which these two conditions already allow for protected entities to share data voluntarily with the United States government, law enforcement agencies, and the National Center for Missing and Exploited Children.[21]
Recent developments
Bill sponsors Mike Rogers and Dutch Ruppersberger, the chairman and ranking member of the House Intelligence Committee, respectively, said on April 25, 2012, that the Obama administration's opposition is mostly based on the lack of critical infrastructure regulation, something outside of the jurisdiction of the Intelligence committee; they have also since introduced a package of amendments to the legislation that, "address nearly every single one of the criticisms leveled by the Administration, particularly those regarding privacy and civil liberties of Americans".[22]
Due to the opposition the bill has experienced, the co-sponsors are planning to amend the bill to address many of the concerns of its opponents—including limiting its scope to a narrower definition of cyber-threats, and stating that the "theft of intellectual property" refers to the theft of research and development. In addition, there will now be penalties if private companies or the government uses data from CISPA for purposes "unrelated to cyberthreats".[23][24]
However, Sharan Bradford Franklin, of the Constitution Project states, "Although we appreciate the Intelligence Committee's efforts to improve the bill and willingness to engage in a dialogue with privacy advocates, the changes in its most current draft do not come close to addressing the civil liberties threats posed by the bill, and some of the proposals would actually make CISPA worse. Therefore, Congress should not pass CISPA".[25]
Rainey Reitman, of the Electronic Frontier Foundation states, "To date, the authors of the bill have been unresponsive to these criticisms, offering amendments that are largely cosmetic. Dismissing the grave concerns about how this bill could undermine the core privacy rights of everyday Internet users, Rep. Mike Rogers characterized the growing protests against CISPA as 'turbulence' and vowed to push for a floor vote without radical changes."[26]
Kendall Burman of the Center for Democracy and Technology states, "The authors of CISPA have made some positive changes recently. Unfortunately, none of the changes gets to the heart of the privacy concerns that Internet users and advocacy groups have expressed."[27]
In April 2012, the Office of Management and Budget of the Executive Office of the President of the United States released a statement strongly opposing the current bill and recommending to veto it.[28]
On April 26, 2012, the House of Representatives passed CISPA.
On February 13, 2013, United States Representative Mike Rogers reintroduced the CISPA bill in the 113th Congress as H.R. 624.[6]
On April 18, 2013, the House of Representatives passed H.R. 624.[8] The Senate has reportedly refused to vote on the measure and is drafting competing legislation.[29]
Former Representative Ron Paul (R-TX) has publicly opposed the bill calling it "Big Brother writ large."[37][38][39]
36 groups currently oppose CISPA[40] with an addition of 6 groups as of April 21.[41] The Electronic Frontier Foundation lists a growing list of opposition[42] as well as a list of security experts, academics, and engineers in opposition of the bill.[43] They also published the statement Don't Let Congress Use "Cybersecurity" Fears to Erode Digital Rights.[44]
Opposition to CISPA includes more than 840,000 online petitioners who have signed global civic organization Avaaz.org's petition to members of the US Congress entitled "Save the Internet from the US".[45] Avaaz also has a petition to Facebook, Microsoft, and IBM entitled "The end of Internet privacy", signed by more than 840,000 people.[46]
The Center for Democracy and Technology (CDT) published a statement titled "Cybersecurity's 7-Step Plan for Internet Freedom".[47] The CDT openly opposes the Mike Rogers bill based on these 7-step criteria.[48] The CDT has also openly supported a competing bill in the house sponsored by Representative Dan Lungren (R-CA)[49] that has yet to be reported by the committee.[50]
The Constitution Project (TCP) "believes cybersecurity legislation currently pending before Congress possess major risks to civil liberties that must be addressed before any bill is enacted into law."[51]
The American Civil Liberties Union (ACLU) has also issued a statement opposing the bill stating, "The Cyber Intelligence Sharing and Protection Act would create a cybersecurity exception to all privacy laws and allow companies to share the private and personal data they hold on their American customers with the government for cybersecurity purposes." As the statement continues, "Beyond the potential for massive data collection authorization, the bill would provide no meaningful oversight of, or accountability for, the use of these new information-sharing authorities."[52]
The Sunlight Foundation states, "The new cybersecurity bill, CISPA, or HR 3523, is terrible on transparency. The bill proposes broad new information collection and sharing powers (which many other organizations are covering at length). Even as the bill proposes those powers, it proposes to limit public oversight of this work."[53]
Cenk Uygur, from Current TV, opposed the bill highlighted one of Mike Rogers' speech about the bill to the business community. He also attempted to summarize the bill to his audience.[54]
Demand Progress opposes CISPA, stating "The Cyber Intelligence Sharing and Protection Act, or CISPA, would obliterate any semblance of online privacy in the United States."[55]
Reporters Without Borders states, "Reporters Without Borders is deeply concerned with the Cyber Intelligence Sharing and Protection Act of 2011 (CISPA), the cyber security bill now before the US Congress. In the name of the war on cyber crime, it would allow the government and private companies to deploy draconian measures to monitor, even censor, the Web. It might even be used to close down sites that publish classified files or information."[57]
testPAC opposes CISPA stating "CISPA would effectively take the door off the hinge of every household in America, but lacks the tools necessary to distinguish whether there is a criminal hiding in the attic. Why surrender the core of our privacy for the sake of corporate and governmental convenience?"[citation needed]
Mozilla, the makers of the Firefox Web-Browser, opposes CISPA stating, "While we wholeheartedly support a more secure Internet, CISPA has a broad and alarming reach that goes far beyond Internet security."[58]
The Association for Computing Machinery believes that "More effective information sharing in support of cybersecurity is a laudable goal, but CISPA is seriously flawed in its approach to PII. Better approaches to information sharing are certainly possible if privacy goals are also considered."[59]
IGDA, the International Game Developers Association is against this bill, urging Congress and the President to reject it saying, in part, "The version of CISPA which just emerged from the House Intelligence Committee does not address the privacy failings in the previous version, which the White House wisely rejected. The bill still retains its dangerously over-broad language, still lacks civilian control, still lacks judicial oversight, and still lacks clear limits on government monitoring of our Internet browsing information. The House should vote against it."[60]
The Libertarian Party protested it by blacking out much of their Facebook, and encouraged others to follow suit.[61]
Anonymous, a hacktivist group, has criticized the bill and called for an "Internet blackout day" to protest the bill. The date of the blackout was April 22, 2013.[67]
Prior attempts for U.S. cybersecurity bills
Since legislation must pass the House and the Senate within the same Congress, anything introduced during the 112th or earlier Congresses has to pass both chambers again.
S. 2105 (Cybersecurity Act), reported by committee on February 15, 2012. Sponsored by SenatorJoseph Lieberman (I-CT).[69] Failing to gain enough support for passage, the bill, entitled "Cybersecurity Act of 2012", was reintroduced on July 19, 2012 in a revised form which omitted federal imposition of security standards on IP providers, as well as including stronger privacy and civil liberties protections.[70]
House of Representatives
H.R. 3674 (Precise Act), reported by committee April 18, 2012, by Representative Dan Lungren (R-CA).[71] The bill changed as "Lungren dropped many of the critical infrastructure and DHS provisions" due to the house.[72]
H.R. 4257 (Federal Information Security Amendment Act of 2012), reported by committee April 18, 2012[73] by Representative Darrell Issa (R-CA).
^"H.R.3523 - CRS Summary". THOMAS (Library of Congress). Congressional Research Service. Archived from the original on July 3, 2016. Retrieved April 5, 2012.