Skip to main content

Controversial CISPA legislation will protect US from cyber threats, say lawmakers

The authors of the controversial US CISPA information-sharing bill argued that the legislation is necessary to protect against cyberattacks from countries like China and Iran, and said they are working to resolve issues that the White House has with the bill in its current form.

In a conference call with reporters US, Representative Mike Rogers - chairman of the House Permanent Select Committee on Intelligence - said that his bill protects civil liberties while preserving the open and free Internet. "[CISPA] protects privacy by empowering Web services and providers to protect their services," argued Rogers, a Michigan Republican.

CISPA would allow for the government and private companies to exchange information about cyberthreats. If Homeland Security became aware of a planned hack of Facebook, for example, it could notify the appropriate people at the social network. Where it gets controversial is that CISPA would also allow Facebook to tell the feds - or other tech firms - if detected hackers on its network.

Specifically, CISPA would "empower American businesses to share anonymous cyber threat information with others in the private sector and enable the private sector to share information with the government on a purely voluntary basis."

CISPA supporters argue that this type of information sharing just makes sense; how can you thwart or battle an attack if you don't know about it? Opponents, however, argue that CISPA would allow for companies like Facebook or Google to hand over personal information about their users in the name of cybersecurity. Those companies are provided with good-faith immunity in the event of an attack and theft of personal information.

"What constitutes 'good faith' is unclear on the face of CISPA, given its overall vagueness—which is likely to make difficult any attempt at litigating against companies," the Electronic Frontier Foundation, which opposes CISPA, argued last year.

If a company has inadequate security, is hacked, and all its customers' data is stolen, the firm could possibly avoid any sort of repercussions simply by providing details about the hack to the feds, groups like the EFF argued.

Representatives Rogers and C.A. Dutch Ruppersberger, the ranking member of the committee, didn't go into much detail on that front, but stressed that civil liberties are a top concern, and said CISPA simply "empowers the private sector to protect itself in a better way."

"The threat is real," Ruppersberger said today, pointing to recent hacks of the New York Times and other papers.

Rogers said members of Congress are surprised to hear about the actual threats during classified briefings, which "motivates people to do the right thing."

The US is "really under siege here from countries like Iran, who are trying to bring down our financial services industry," as well as China, which has engaged in "unprecedented [and] epic" cyber attacks, Rogers said.

CISPA already passed the House last year, but didn't make it very far in the Senate, while the White House threatened to veto it. Ruppersberger said that the administration's veto threat came rather late in the game last year, catching him and other supporters off guard. As a result, he and Rogers have already reached out to the White House about CISPA. Rogers said he anticipates "meaningful negotiations" with the administration.

As part of his State of the Union, meanwhile, President Obama this week released an executive order that allows for information sharing, but does not go as far as CISPA. The executive order would allow federal agencies to notify private companies about cyberthreats, but it's a one-way street; it does not include the ability for private companies to notify the government in exchange for immunity.