Separating Fact from Fiction with CISPA (HR 3523)

Background: CISPA (the Cyber Intelligence Sharing and Protection Act) is legislation, passed by the House, intended to help protect American computer systems from attacks by foreign hackers. On average, American systems face over 9 billion attacks every day. These include attacks on military installations, critical utility facilities, and private business systems. Most of these attacks appear to originate from China, Russia, and Iran. Some of these attacks come from foreign intelligence agencies, some from organized crime syndicates, and some from terrorist organizations.

Cyber attacks will cost American companies an estimated $400B in 2012. Visa gets over 3 million attacks on their network every day.  Symantec, the company that owns Norton anti-virus, discovered 286 million new unique threats in 2010 – or roughly 9 new computer viruses every second. The cyber attacks on the Pentagon have cost taxpayers more than $100M alone.

For hundreds of years, local law enforcement officers have kept communities apprised of threats to help prevent crime and protect citizens. The CDC issues health advisories and counsels doctors and hospitals on containing disease outbreaks. The National Weather Service advises airports and news outlets on impending hazardous weather conditions.

Similarly, the CISPA legislation allows for voluntary information sharing between businesses and the federal government, when hackers attack sensitive systems. CISPA will allow law enforcement to warn American companies about potential cyber attacks. CISPA also allows companies to share threat information with each other to better prepare against internet based attacks.

Very importantly, this bill (in its current form) allows companies who specialize in protecting computers to share information about incoming cyber attacks in real time. Virus and malware companies will be able to react much more quickly to stop attacks on networks of computers if they can see the attacks coming and prepare.

CISPA was amended to protect the private information of end users whose computers might be threatened by a cyber attack. It specifically prohibited the federal government from violating citizen’s privacy by sharing library, medical, tax, or gun purchase records.  The legislation does not set up a government registry for guns, ammunition, or anything else. The information that is to be shared relates only to the nature of the cyber threat.

Common Rumors & Questions:

CISPA does not give any authority to any US Government agency to engage in any unreasonable searches and seizures.  There are strong limitations on the government’s use of any information that private companies choose to share with the government:

•    The cyber threat information must be protected from disclosure outside the federal government unless further sharing is specifically authorized by the entity providing the information.

•    The government may not use the cyber threat information for any purpose other than (1) cyber security, (2) investigation and prosecution of cybersecurity crimes, (3) protection of individuals from the danger of death or physical injury, (4) protection of minors from physical or psychological harm, and (5) protection of the national security of the U.S. (Amendment #38)

•    The government may not require any entity to share cyber threat information with the government.

•    The government may not require the sharing of cyber threat information in exchange for government cyber threat intelligence.

•    The government is prohibited from using library circulation records, library patron lists, book sales records, book customer lists, firearms sales records, tax return records, educational records, or medical records (Amendment #33)

Claim:

“There are already hackers working for the US government who prevent foreign attacks. CISPA is the internet version of the TSA that violates Amerians rights’ at airports in the name of 'terrorist prevention'”

Fact: CISPA does not permit government surveillance. Instead, it allows the government to share classified threat information with the private sector to help the private sector better defend its own networks.  The bill also provides clear authority to the private sector – not the government – to identify and share cyber threats on its own systems and networks.   

The bill only permits private sector identification and sharing of cybersecurity threat information where a company is engaged in the protection of its own systems or networks or those of a corporate customer – it does not permit the monitoring of individual customers.  It also does not require anyone to provide information to the government.

If the government violates any of the prohibitions or restrictions in the legislation, the bill makes the government liable for damages, costs, and attorney’s fees in a federal court.  As such, the government’s only role under the bill is to provide intelligence information to the private sector to help the private sector to protect itself and to provide assistance if the private sector voluntarily chooses to provide information to the government.

Claim:

“The bill is very broadly written, and allows the Department of Homeland Security to obtain large swaths of personal information contained in your emails or other online communication. It also allows emails and private information found online to be used for purposes far beyond any reasonable definition of fighting cyberterrorism. CISPA represents an alarming form of corporatism, as it further intertwines government with companies like Google and Facebook. It permits them to hand over your private communications to government officials without a warrant, circumventing well-established federal laws like the Wiretap Act and the Electronic Communications Privacy Act."

Fact: This is absolutely incorrect. (See above for specific role of government).  Additionally, Amendment #36 clarified that the liability protection of the bill only extends to the identification, acquisition, and sharing of cyber threat information.  Liability protection in the bill with respect to the use of cybersecurity systems cannot therefore be read to be broader than the activities authorized by the bill.  

Amendment #41 allows the federal government to undertake efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information.  Amendment #37 clarified that nothing in the bill provides additional authority to the federal government including DOD, NSA, DHS, or the Intelligence Community to install, employ, or use cybersecurity systems on private sector networks.

Which parts on the bill are sunsetted?

The entire bill is sunset five years after the date of its enactment.

Are there any limits, guidelines or restrictions on the types of information that private companies can share with the federal government?

Private companies should only share “cyber threat information” with the government.  The definition of “cyber threat information” ensures that only information being identified and shared is limited to information about 1) cyber security, (2) investigation and prosecution of cybersecurity crimes, (3) protection of individuals from the danger of death or physical injury, (4) protection of minors from physical or psychological harm, and (5) protection of the national security of the U.S. (Amendment #38).  If a private company shares more information than they should share, then the government is obligated to let the company know, and the government is not permitted to keep that information (Amendment #41).

Are private companies who violate their terms of service to turn over information to the government protected from civil action?

The bill’s definitions specifically exclude individuals from being covered by the bill.  The bill only allows the voluntary sharing of cyber threat information, and the liability limitation provided by the legislation only applies to the activities related to cyber threat information.  So if a company were to share information that doesn’t fit the definition of cyber threat information or to share information for purposes other than cybersecurity, individuals could sue the company.