The Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624, is set to be considered by the full House of Representatives later this month. Although the bill that emerged from markup by the House Permanent Select Committee on Intelligence (HPSCI) includes some improvements in privacy safeguards over the earlier version, CISPA’s proponents have overstated the protections incorporated into the bill. As a result, members of Congress should vote against CISPA when it comes to the House floor.
Last year, The Constitution Project’s bipartisan Liberty and Security Committee, on which I serve, prepared a detailed report on ways that Congress could protect our nation’s computer networks from cyber threats, while at the same time preserving the constitutionally-guaranteed rights of Americans. Unfortunately, the drafters of CISPA failed to incorporate the robust safeguards we recommended.
Most critical, CISPA’s sponsors have resisted all efforts to ensure that the new cybersecurity program would maintain civilian control of our nation’s computer networks. CISPA would allow private companies, cloaked with broad immunity from legal liability, to share sensitive information such as internet records or the content of emails, with any agency in the government, including military and intelligence agencies. Sensitive personal information from private computer networks should not be shared directly with the military or the National Security Agency (NSA), the agency that gained widespread public notoriety seven years ago for its warrantless wiretapping program -- hardly the agency we want to see tasked with receiving private internet traffic.
Sadly, the members of HPSCI voted down an amendment that would have ensured civilian control of computer networks, by specifying that when private companies share information with the federal government, they should not provide it to the NSA or any other military agency or department. This amendment would still have permitted the NSA to share its own expertise on cyber threats with the private sector, but would have protected the information flowing into the government.
A second critical flaw with CISPA is that it fails to include meaningful limits on the extent of private sensitive information that companies can send into the government. The HPSCI also voted down an amendment requiring that before sharing cyber threat information with the government, companies must “make reasonable efforts” to remove “any information that can be used to identify a specific person unrelated to the cyber threat.” A similar provision was included in last year’s Senate cybersecurity bill, and witnesses at a hearing before HPSCI earlier this year testified that companies can easily strip out personally identifiably information that is not necessary to address cyber threats. Yet CISPA still lacks any such safeguard.
It is true that from a privacy perspective, this version of CISPA is an improvement over last year’s bill. Most notably, the bill no longer permits private information to be used for broad “national security uses” unrelated to cybersecurity. But it clearly is not sufficient. Congress must take the civil liberties threats created by this bill just as seriously as it takes the cyber threats the legislation purports to address. CISPA does not meet this test, and members of the House should just say no.
Barr is a former Republican congressman from Georgia and a former 21st Century Liberties chairman for Freedom and Privacy at the American Conservative Union. He is a member of The Constitution Project’s Liberty and Security Committee.