Information Trust Institute block of abstract images
Information Trust Institute block of abstract images

CISPA: Don’t Toss It - Amend and Pass It

Apr 22. 2013

American netizens go on high alert when Congress starts suggesting ideas that would impact the Internet. In January of 2012, it was the Stop Online Piracy Act, which threatened to permit blackouts of websites found to be hosting content that infringes copyright. A few months later, in April of 2012, it was the Cyber Intelligence Sharing and Protection Act, or CISPA, which opponents claimed would allow companies to share their customers’ personal information with the government. CISPA passed the House of Representatives and moved on to the Senate, where it stayed until the end of the 112th Congress at the end of 2012.

Now, we are mere months into the 113th Congress, and CISPA has yet again passed the House of Representatives and is moving on to the Senate, almost a year after CISPA passed the House during the last term. CISPA is making headlines again, like the tagline for a bad zombie movie: The Privacy Threat That Wouldn’t Die!!!

Just like all trailers and taglines, the depictions of CISPA by its opponents paint the most dire and exciting interpretations, designed to draw people to the theater in droves. And just like many movies that have been hyped up beyond recognition by cleverly edited trailers and exciting taglines, the truth is often much less entertaining than the previews promised it to be.

The truth about CISPA is that its sponsors attempted to design it as a narrow bill to address a discrete problem: the difficulty of sharing information about cyber security threats and vulnerabilities between the private and public sectors. CISPA is not a comprehensive cybersecurity bill, though several comprehensive bills were introduced in the last Congressional term, like the SECURE IT Act, and the Cybersecurity Act of 2012. CISPA doesn’t create stiffer penalties for cybercrime. It doesn’t seek to overhaul the federal system for selecting information technology. It doesn’t create a new organization to oversee the disbursement of funds for cyber security research. CISPA’s emphasis is on a problem of information access that plagues efforts to protect the cybersecurity of essential services like power plants and water treatment facilities. The existence of threats to these services is not a hypothetical. In 2007, the Aurora Generator Test established that malicious code that takes advantage of a vulnerability could cause physical damage to a large generator. In 2010, Stuxnet demonstrated that a rootkit could cause the destruction of nuclear centrifuges.

These essential services are typically owned and operated by the private sector, and information about cyber threats does not currently flow well between the private sector and the government. If information about a particular threat is considered classified, and these essential services do not have employees who are eligible to receive classified information, should the government just hoard its information and hope that the private sector figures it out on its own? That sort of issue is why CISPA offers a way for these types of essential service providers to have employees obtain security clearances for the purpose of receiving cyber threat intelligence.

If that were as far as CISPA goes, this controversy probably wouldn’t be happening at all. But CISPA also permits the private sector to share cyber threat information with the government, though CISPA states explicitly in its language that this sharing is voluntary, and that the receipt of information from the government cannot be conditioned on reciprocal information sharing. During the floor debates in 2012, sponsor Rep. Mike Rogers (R-Mich) emphasized that his idea of cyber threat information only encompassed source code relating to the threats. This limitation is, however, not in CISPA’s language. With CISPA’s current language, cyber threat information that the private sector can share with the government is a potentially broad category, and turns CISPA into another battle between privacy and security, but this does not need to be the case.

Instead of calling for CISPA to be defeated, maybe a better solution would to call for it to be amended. Change it, don’t toss it. Limit it, don’t destroy it. CISPA offers a potentially effective way to address the difficulty of getting classified cyber threat intelligence to members of the private sector who would be in the best position to use that information to shore up cyber defenses. We should hold Representative Rogers to his word, and demand that Congress amend CISPA to state that while the private sector can share “cyber threat information” with the government, only the actual malicious code or information about specific vulnerabilities should be considered “cyber threat information.” If the government wants to know what exploits hackers are using, there is no reason to ask private companies to turn over data that might include personal information.

It is possible that investigations into cybersecurity vulnerabilities could turn into criminal investigations, but CISPA does not need to be involved in that. If more information is needed as part of an investigation, government officials can use available methods, including search warrants and procedures under the Stored Communications Act. By the time any criminal investigation arises, CISPA will have already served a valuable purpose by facilitating the sharing of information about cybersecurity vulnerabilities and exploits between the public and private sectors. Making CISPA reach any further in the investigative process is just needless duplication of existing law.

Jay P. Kesan is a professor of law at Illinois, a H. Ross & Helen Workman Research Scholar and the director of the Program in Intellectual Property & Technology Law.