Cyber Intelligence Sharing and Protection Act
||This article lends undue weight to certain ideas, incidents, or controversies. (October 2013)|
|Long title||To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.|
The Cyber Intelligence Sharing and Protection Act (CISPA H.R. 3523 (112th Congress), H.R. 624 (113th Congress)) is a proposed law in the United States which would allow for the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The stated aim of the bill is to help the U.S. government investigate cyber threats and ensure the security of networks against cyberattacks.
The legislation was introduced on November 30, 2011 by Representative Michael Rogers (R-MI) and 111 co-sponsors. It was passed in the House of Representatives on April 26, 2012, but was not passed by the U.S. Senate. President Barack Obama's advisers have argued that the bill lacks confidentiality and civil liberties safeguards, and the White House said he would veto it. In February 2013 the House reintroduced the bill and it passed in the United States House of Representatives on April 18, 2013, but stalled and ultimately was not voted on by the United States Senate.
CISPA has been criticized by advocates of Internet privacy and civil liberties, such as the Electronic Frontier Foundation, the American Civil Liberties Union, Free Press, Fight for the Future, and Avaaz.org, as well as various conservative and libertarian groups including the Competitive Enterprise Institute, TechFreedom, FreedomWorks, Americans for Limited Government, Liberty Coalition, and the American Conservative Union. Those groups argue CISPA contains too few limits on how and when the government may monitor a private individual’s Internet browsing information. Additionally, they fear that such new powers could be used to spy on the general public rather than to pursue malicious hackers. CISPA had garnered favor from corporations and lobbying groups such as Microsoft, Facebook, AT&T, IBM, Apple Inc. and the United States Chamber of Commerce, which look on it as a simple and effective means of sharing important cyber threat information with the government.
Some critics saw CISPA as a second attempt at strengthening digital piracy laws after the Stop Online Piracy Act and the Protect Intellectual Property Act both met huge opposition. Intellectual property theft was initially listed in the bill as a possible cause for sharing Web traffic information with the government, though it was removed in subsequent drafts.
CISPA is an amendment to the National Security Act of 1947, which does not currently contain provisions pertaining to cybercrime. It adds provisions to the Act describing cyber threat intelligence as "information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from either 'efforts to degrade, disrupt, or destroy such system or network'. In addition, CISPA requires the Director of National Intelligence to establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities and encourage the sharing of such intelligence.
In an April 16, 2012, press release, the House of Representatives Permanent Select Committee on Intelligence announced the approval of several amendments to CISPA, including the addition of a new provision "to permit federal lawsuits against the government for any violation of restrictions placed on the government’s use of voluntarily shared information, including the important privacy and civil liberties protections contained in the bill," the inclusion of an anti-tasking provision to "explicitly prohibit the government from conditioning its sharing of cyber threat intelligence on the sharing of private sector information with the government," and the prevention of the government from using the information for "any other lawful purpose unless the government already has a significant cybersecurity or national security purpose in using the information." Relevant provisions were also clarified to "focus on the fact that the bill is designed to protect against unauthorized access to networks or systems, including unauthorized access aimed at stealing private or government information." In addition, already collected cyberthreat data can also be used to investigate "the imminent threat of bodily harm to an individual" or "the exploitation of a minor," bringing the bill into line with existing law codified by the Patriot Act and the PROTECT Our Children Act in which these two conditions already allow for protected entities to share data voluntarily with the United States government, law enforcement agencies, and the National Center for Missing and Exploited Children.
Bill sponsors Mike Rogers and Dutch Ruppersberger, the chairman and ranking member of the House Intelligence Committee, respectively, said on April 25, 2012 that the Obama administration's opposition is mostly based on the lack of critical infrastructure regulation, something outside of the jurisdiction of the Intelligence committee; they have also since introduced a package of amendments to the legislation that, "address nearly every single one of the criticisms leveled by the Administration, particularly those regarding privacy and civil liberties of Americans."
Due to the opposition the bill has experienced, the co-sponsors are planning to amend the bill to address many of the concerns of its opponents — including limiting its scope to a narrower definition of cyber-threats, and stating that the "theft of intellectual property" refers to the theft of research and development. In addition, there will now be penalties if private companies or the government uses data from CISPA for purposes "unrelated to cyberthreats."
However, Sharan Bradford Franklin, of the Constitution Project states, "Although we appreciate the Intelligence Committee's efforts to improve the bill and willingness to engage in a dialogue with privacy advocates, the changes in its most current draft do not come close to addressing the civil liberties threats posed by the bill, and some of the proposals would actually make CISPA worse. Therefore, Congress should not pass CISPA."
Rainey Reitman, of the Electronic Frontier Foundation states, "To date, the authors of the bill have been unresponsive to these criticisms, offering amendments that are largely cosmetic. Dismissing the grave concerns about how this bill could undermine the core privacy rights of everyday Internet users, Rep. Mike Rogers characterized the growing protests against CISPA as 'turbulence' and vowed to push for a floor vote without radical changes."
Kendall Burman of the Center for Democracy and Technology states, "The authors of CISPA have made some positive changes recently. Unfortunately, none of the changes gets to the heart of the privacy concerns that Internet users and advocacy groups have expressed."
In April 2012, the Office of Management and Budget of the Executive Office of the President of the United States released a statement strongly opposing the current bill and recommending to veto it.
On April 26, 2012, the House of Representatives passed CISPA.
On February 13, 2013, United States Representative Mike Rogers reintroduced the CISPA bill in the 113th Congress as H.R. 624.
House voting counts
House vote on April 26, 2012 passing CISPA Affiliation Yes votes No votes Did not vote Democratic 42 140 8 Republican 206 28 7 Total 248 168 15
House vote on April 18, 2013 passing CISPA Affiliation Yes votes No votes Did not vote Democratic 92 98 11 Republican 196 29 6 Total 288 127 17
CISPA is supported by several trade groups containing more than eight hundred private companies, including the Business Software Alliance, CTIA – The Wireless Association, Information Technology Industry Council, Internet Security Alliance, National Cable & Telecommunications Association, National Defense Industrial Association, TechAmerica and United States Chamber of Commerce, in addition to individual major telecommunications and information technology companies like AT&T, IBM, Intel, Oracle Corporation, Symantec, and Verizon. Google has not taken a public position on the bill but has shown previous support for it, and now says they support the idea but believe the bill needs some work. Leading Google, Yahoo, and Microsoft executives are also on the executive council of TechNet, a tech trade group which sent a letter supporting CISPA in April 2013.
- Former Representative Ron Paul (R-TX) has publicly opposed the bill calling it "Big Brother writ large."
- 36 groups currently oppose CISPA with an addition of 6 groups as of April 21. The Electronic Frontier Foundation lists a growing list of opposition as well as a list of security experts, academics, and engineers in opposition of the bill. They also published the statement Don’t Let Congress Use "Cybersecurity" Fears to Erode Digital Rights.
- Opposition to CISPA includes more than 840,000 online petitioners who have signed global civic organization Avaaz.org's petition to members of the US Congress entitled "Save the Internet from the US". Avaaz also has a petition to Facebook, Microsoft, and IBM entitled "The end of Internet privacy", signed by more than 840,000 people.
- The Center for Democracy and Technology (CDT) published a statement titled "Cybersecurity's 7-Step Plan for Internet Freedom". The CDT openly opposes the Mike Rogers bill based on these 7-step criteria. The CDT has also openly supported a competing bill in the house sponsored by Representative Dan Lungren (R-CA) that has yet to be reported by the committee.
- The Constitution Project (TCP) "believes cybersecurity legislation currently pending before Congress possess major risks to civil liberties that must be addressed before any bill is enacted into law."
- The American Civil Liberties Union (ACLU) has also issued a statement opposing the bill stating, "The Cyber Intelligence Sharing and Protection Act would create a cybersecurity exception to all privacy laws and allow companies to share the private and personal data they hold on their American customers with the government for cybersecurity purposes." As the statement continues, "Beyond the potential for massive data collection authorization, the bill would provide no meaningful oversight of, or accountability for, the use of these new information-sharing authorities."
- The Sunlight Foundation states, "The new cybersecurity bill, CISPA, or HR 3523, is terrible on transparency. The bill proposes broad new information collection and sharing powers (which many other organizations are covering at length). Even as the bill proposes those powers, it proposes to limit public oversight of this work."
- Cenk Uygur, from Current TV, opposed the bill highlighted one of Mike Rogers' speech about the bill to the business community. He also attempted to summarize the bill to his audience.
- Demand Progress opposes CISPA, stating "The Cyber Intelligence Sharing and Protection Act, or CISPA, would obliterate any semblance of online privacy in the United States."
- Competitive Enterprise Institute joins with TechFreedom, FreedomWorks, Americans for Limited Government, Liberty Coalition, Al Cardenas, and American Conservative Union to write a letter to Congress. Competitive Enterprise Institute states, "Despite the bill's noble intentions, however, it risks unduly expanding federal power, undermining freedom of contract, and harming U.S. competitiveness in the technology sector." The Competitive Enterprise Institute lists 6 problems within the bill itself and how to fix those problems.
- Reporters Without Borders states, "Reporters Without Borders is deeply concerned with the Cyber Intelligence Sharing and Protection Act of 2011 (CISPA), the cyber security bill now before the US Congress. In the name of the war on cyber crime, it would allow the government and private companies to deploy draconian measures to monitor, even censor, the Web. It might even be used to close down sites that publish classified files or information."
- testPAC opposes CISPA stating "CISPA would effectively take the door off the hinge of every household in America, but lacks the tools necessary to distinguish whether there is a criminal hiding in the attic. Why surrender the core of our privacy for the sake of corporate and governmental convenience?"
- Mozilla, the makers of the Firefox Web-Browser, opposes CISPA stating, "While we wholeheartedly support a more secure Internet, CISPA has a broad and alarming reach that goes far beyond Internet security."
- The Association for Computing Machinery believes that "More effective information sharing in support of cybersecurity is a laudable goal, but CISPA is seriously flawed in its approach to PII. Better approaches to information sharing are certainly possible if privacy goals are also considered."
- IGDA, the International Game Developers Association is against this bill, urging Congress and the President to reject it saying, in part, "The version of CISPA which just emerged from the House Intelligence Committee does not address the privacy failings in the previous version, which the White House wisely rejected. The bill still retains its dangerously over-broad language, still lacks civilian control, still lacks judicial oversight, and still lacks clear limits on government monitoring of our Internet browsing information. The House should vote against it."
- The Libertarian Party protested it by blacking out much of their Facebook, and encouraged others to follow suit.
Week of action
Dubbed the "Stop Cyber Spying Week", starting on April 16, 2012, many civil liberties groups and advocates raised the awareness of CISPA (through a Twitter campaign with the hash-tags #CISPA and #CongressTMI,) including, but not limited to, the Constitution Project, American Civil Liberties Union, Electronic Frontier Foundation, Center for Democracy and Technology, Demand Progress, Fight for the Future, Free Press, Reporters Without Borders, Sunlight Foundation, and TechFreedom.
Prior attempts for U.S. cybersecurity bills
Since legislation must pass the House and the Senate within the same Congress, anything introduced during the 112th or earlier Congresses has to pass both chambers again.
- S. 2151 (Secure IT), introduced by Senator John McCain (R-AZ) on March 1, 2012.
- S. 2105 (Cybersecurity Act), reported by committee on February 15, 2012. Sponsored by Senator Joseph Lieberman (I-CT). Failing to gain enough support for passage, the bill, entitled "Cybersecurity Act of 2012", was reintroduced on July 19, 2012 in a revised form which omitted federal imposition of security standards on IP providers, as well as including stronger privacy and civil liberties protections.
House of Representatives
- H.R. 3674 (Precise Act), reported by committee April 18, 2012 by Representative Dan Lungren (R-CA). The bill changed as "Lungren dropped many of the critical infrastructure and DHS provisions" due to the house.
- H.R. 4257 Federal Information Security Amendment Act of 2012, reported by committee April 18, 2012 by Representative Darrell Issa (R-CA).
|Wikimedia Commons has media related to Cyber Intelligence Sharing and Protection Act.|
- Anti-Counterfeiting Trade Agreement
- Chinese intelligence operations in the United States
- Communications Assistance for Law Enforcement Act
- Federal Information Security Management Act of 2002
- Freedom of information laws by country
- Intellectual Property Attache Act
- National Security Agency
- PROTECT IP Act
- United States Department of Homeland Security
- "HR 3523 as reported to the House Rules Committee".
- "H.R. 3523". Library of Congress. Retrieved April 5, 2012.
- "Current Status of CISPA". GovTrack. Retrieved April 18, 2012.
- "FINAL VOTE RESULTS FOR ROLL CALL 192". Retrieved April 26, 2012.
- "Cyber-security bill Cispa passes US House". BBC News. April 26, 2012. Retrieved May 1, 2012.
- "CISPA Cybersecurity Bill, Reborn: 6 Key Facts", Mathew J. Schwartz, Information Week, February 14, 2013
- "FINAL VOTE RESULTS FOR ROLL CALL 117". Retrieved April 18, 2013
- "Senate Won't Vote On CISPA, Deals Blow To Controversial Cyber Bill". Huffington Post. April 25, 2013. Retrieved April 26, 2013.
- Masnick, Mike (April 2, 2012). "Forget SOPA, You Should Be Worried About This Cybersecurity Bill". Techdirt. Retrieved April 11, 2012.
- 5 Reasons the CISPA Cybersecurity Bill Should Be Tossed Time Techland, By Matt Peckham
- Hayley Tsukayama (April 27, 2012). "CISPA: Who’s for it, who’s against it and how it could affect you". Washington Post. Retrieved May 1, 2012.
- Morgan Little (April 9, 2012). "CISPA legislation seen by many as SOPA 2.0". Los Angeles Times. Retrieved April 30, 2012.
- "House Cybersecurity Bill Backs Off On IP Theft Provisions". Retrieved April 18, 2012.
- H.R. 3523 Discussion Draft - U.S. House of Representatives - November 29, 2011
- "CRS report on CISPA". Congressional Research Service. Retrieved April 5, 2012.
- "Discussion Draft HR 3523". United States House Select Committee on Intelligence. Retrieved April 17, 2012.
- Albanesius, Chloe. "White House Threatens to Veto CISPA". PC Magazine.
- New CISPA amendments expected - but the fight will go on - Digitaltrends.com - April 10, 2012
- CISPA and SOPA like 'apples and oranges,' say chief co-sponsors - Digitaltrends.com - April 10, 2012
- "CISPA Lacks Protections for Individual Rights". USNews. Retrieved April 18, 2012.
- "CISPA Is Dangerously Vague". USNews. Retrieved April 18, 2012.
- "CISPA Not the Right Way to Achieve Cybersecurity". USNews. Retrieved April 18, 2012.
- Statement of Administration Policy - H.R. 3523 - Cyber Intelligence Sharing and Protection Act - Office of Management and Budget, April 25, 2012.
- Smith, Gerry (April 25, 2013). "Senate Won't Vote On CISPA, Deals Blow To Controversial Cyber Bill". The Huffington Post. Retrieved April 29, 2013.
- "FINAL VOTE RESULTS FOR ROLL CALL 192". clerk.house.gov. Retrieved April 20, 2013.
- "FINAL VOTE RESULTS FOR ROLL CALL 117". clerk.house.gov. Retrieved April 18, 2013.
- "H.R. 3523 - Letters of Support". House Permanent Select Committee on Intelligence. Retrieved April 26, 2012.
- "CISPA supporters list: 800+ companies that could help Uncle Sam snag your data". Digital Trends. Retrieved April 12, 2012.
- Brendan Sasso (April 23, 2012). "Google acknowledges lobbying on cybersecurity bill CISPA". Hillicon Valley. Retrieved May 9, 2012.
- "US House of Representatives passes CISPA cybersecurity bill". Rt.com. April 18, 2013. Retrieved April 23, 2013.
- Moyer, Edward (13 April 2013). "Google, Yahoo, Microsoft execs back CISPA through trade group". CNET News.
- Smith, Dave (12 April 2013). "CISPA 2013: Google, Apple Top Massive List Of Supporters Favoring The Controversial Cybersecurity Bill". International Business Times.
- "Opposition grows to CISPA 'Big Brother' cybersecurity bill". CNET. Retrieved April 23, 2012.
- "Ron Paul says Cispa cyberterrorism bill would create 'Big Brother' culture". GuardianUK. Retrieved April 23, 2012.
- "CISPA is the new SOPA". The Hill. Retrieved April 23, 2012.
- "CISPA is Big Brother’s Friend". The New American. Retrieved April 5, 2013.
- "Letter To Congress". Privacy Lives. Retrieved April 23, 2012.
- "Free Market Coalition: Amend CISPA to Preserve Freedom, Prevent Gov't Overreach". CEI. Retrieved April 23, 2012.
- "Voices of Opposition Against CISPA". EFF. Retrieved April 23, 2012.
- "An Open Letter From Security Experts, Academics and Engineers to the U.S. Congress: Stop Bad Cybersecurity Bills". EFF. Retrieved April 23, 2012.
- "Don’t Let Congress Use "Cybersecurity" Fears to Erode Digital Rights". EFF. Retrieved April 7, 2012.
- "Save the Internet from the US". Avaaz. Retrieved April 19, 2012.
- "The end of Internet privacy". Avaaz. Retrieved April 19, 2012.
- "Cybersecurity's 7-Step Plan for Internet Freedom". CDT. Retrieved April 10, 2012.
- "Lungren Cybersecurity Bill Takes Careful, Balanced Approach". CDT. Retrieved April 10, 2012.
- "H.R. 3674: PRECISE Act of 2011". GovTrack.us. Retrieved April 10, 2012.
- "ISSUE ALERT: Cybersecurity Bills Pending in U.S. House Threaten Privacy Rights and Civil Liberties". TCP. Retrieved April 11, 2012.
- "ACLU Opposition to H.R. 3523, the Cyber Intelligence Sharing and Protection Act of 2011". ACLU. Retrieved April 13, 2012.
- "CISPA is Terrible for Transparency". Sunlight Foundation. Retrieved April 14, 2012.
- "Ron Paul is right about CISPA: It must be stopped". Current TV. Retrieved April 25, 2012.
- "CISPA Is The New SOPA: Help Kill It". Demand Progress. Retrieved April 14, 2012.
- "Letter to Rogers and Ruppersburger". CEI. Retrieved April 23, 2012.
- "Draconian cyber security bill could lead to Internet surveillance and censorship". RWB. Retrieved April 15, 2012.
- "Legislative Agenda". PopVox. Retrieved April 18, 2012.
- "Mozilla breaks ranks with Silicon Valley, comes out against CISPA". The Hill. Retrieved May 3, 2012.
- "Letter in regards to CISPA". ACM. Retrieved June 6, 2012.
- "Letter in regards to CISPA". Retrieved April 17, 2013.
- "Cover Photos". Libertarian Party's Page. Facebook. 22 April 2013.
- "Kicking off "Stop Cyber Spying Week"". ACLU. Retrieved April 16, 2012.
- "Stop Cyber Spying Week Launches to Protest CISPA". EFF. Retrieved April 16, 2012.
- "Week of Action On CISPA Preceding "Cybersecurity Week" in the House". CDT. Retrieved April 16, 2012.
- "Save The Internet". Free Press. Retrieved April 16, 2012.
- "Internet Advocacy Coalition Announces Twitter Campaign to Fight Privacy-Invasive Bill (CISPA". En.rsf.org. Retrieved April 22, 2013.
- "Everything Anonymous". AnonNews.org. Retrieved April 22, 2013.
- "S. 2151: SECURE IT". GovTrack.us. Retrieved April 13, 2012.
- "S. 2105: Cybersecurity Act of 2012". GovTrack.us. Retrieved April 13, 2012.
- Eric Chabrow (July 19, 2012). "Senators Purge Regulations from Cybersecurity Bill: Obama Calls for Passage of Revised Cybersecurity Act of 2012". gov info security. Retrieved July 20, 2012.
- "H.R. 3674: PRECISE Act of 2011". GovTrack.us. Retrieved April 13, 2012.
- "House Homeland Security Panel Fights to Stay in Cybersecurity Debate". nationaljournal. Retrieved April 20, 2012.
- "Federal Information Security Amendments Act of 2012". GovTrack.us. Retrieved April 18, 2012.