Privacy advocates say a controversial cybersecurity bill will likely face tough odds of clearing Congress this year due to recent developments in the debate over how to protect critical infrastructure from hacker attacks.
House Intelligence Committee leaders Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) re-introduced the Cyber Intelligence Sharing and Protection Act, known as CISPA, this week. It is designed to remove legal barriers that prevent government and industry from sharing information about cyber threats in real time. Privacy groups that rallied against CISPA last year say the discussion about cybersecurity policy has changed significantly since 2012, and the cyber threat information-sharing bill will have a difficult time working its way through Congress unless additional privacy protections are baked into it.
"Continuing with CISPA as is and without substantive changes will prevent any real movement on this issue," said Michelle Richardson, legislative counsel at the American Civil Liberties Union (ACLU). "The bill is toxic. Right now, the Senate won't touch it if they choose to continue down that route. If anything, they're shooting themselves in the foot."
Privacy groups say the broad language in CISPA would allow companies to send customers' electronic communications—including personal information—to the intelligence community and the secretive National Security Agency (NSA). The bill should include a measure that requires companies to strip personal information from cyber threat data before sending it to the government, the groups argue, adding that a civilian agency, like the Homeland Security Department, should oversee the intelligence sharing process.
Rogers and Ruppersberger on Wednesday introduced the same version of CISPA that passed the House last year, despite a veto threat from the White House and outcry from privacy and civil liberties groups. Yet privacy advocates argue that the bill is more of an outlier this year because it varies significantly from the cybersecurity executive order the White House issued this week and the information-sharing section of a Senate cybersecurity bill.
"A year didn't make a lot of difference to the Intelligence Committee. The debate has moved significantly in the last year and CISPA has not kept up," said Leslie Harris, president of the Center of Democracy and Technology.
"I would have expected CISPA to reflect some changes given the focus this year on privacy," Harris added. "And yet a year later we're in the same place, so I certainly don't share the belief that somehow CISPA is a slam dunk. If it is, I don't think it's going anywhere in the Senate." Advocacy groups such as Demand Progress, Electronic Frontier Foundation and Fight for the Future are readying campaigns to drum up public opposition to the bill.
The cybersecurity executive order issued by President Obama this week called for agencies to implement privacy and civil liberties protections into their cyber activities. It also encouraged agencies to share more classified cyber threat information with companies that operate critical infrastructure and commercial service providers that deliver security services to electric companies, water plants and other key infrastructure.
Harris argues that the executive order addressed part of the need to improve information sharing about cyber threats so companies can receive valuable government intelligence that will help them secure their computer networks and systems from forthcoming cyberthreats.
"Now we have a narrower share of issues" that need to be addressed in information-sharing legislation in Congress this year, Harris said.
Additionally, privacy groups applauded the changes made to a Senate cybersecurity bill last year, which included a provision that requires companies to "make reasonable efforts" to remove sensitive personal information from cyber threat data before they share it with the government. The Senate bill would also put civilian agencies, such as the Homeland Security Department, at the hub of cyber threat information-sharing exchanges between the government and industry, so the data doesn't flow directly to the military or NSA.
ACLU's Richardson says the Senate bill presents a more moderate alternative to CISPA that also boasts praise from privacy groups.
But the House Intelligence Committee leaders are bullish about the political prospects for their bill.
Unlike the privacy groups, Rogers believes the release of the president's executive order only helps CISPA's chances of clearing Congress this year because it addressed the Senate's aim to establish cybersecurity standards for the computer networks of critical infrastructure. That would put the focus on clear an cyber threat information-sharing measure instead.
"We think that now we are in a better place to work with the White House to try to find some common ground as this moves out of the House," Rogers said during a press conference at the Center for Strategic and International Studies this week. "The executive order, we think, will take a little pressure off the Senate's insistence on infrastructure rules, regulations and standards."
The bill also enjoys support from a brand range of industries, from financial institutions to major tech and telecom companies like IBM and AT&T.
Business groups are eager to pass an information-sharing bill this year because the executive order legally cannot grant companies protection from lawsuits if they share cyber threat data with the government, only legislation can. Congress also has the power to protect companies from getting hit with antitrust cases if they share cyber threat data among one another.
The two CISPA co-authors also contend that privacy groups misunderstand the aim of their bill and the type of threat information the legislation will allow companies to share with the government. They argue that businesses will send the government technical information about malicious source code they spot on their computer networks or IP addresses that are sourced to hackers—not people's emails or other communications.
"It is not a surveillance program. It's in real-time, at the speed of light, exchanging zeroes and ones when it comes to malicious software," Rogers said at the press conference this week.
But privacy groups don't buy that argument.
"This is an art, not a science, and it's an art that involves very sensitive personal information and we ought to be looking for more protections for privacy in the process, not just sort of sweeping the issue away and claiming that it's all zeroes and ones," Harris said. "Zeroes and ones actually mean something [on the Internet]."
For example, spearphishing, or hacking into a person's computer via email, is a popular method used by hackers. To crack into a computer, a hacker will send a person an email with a link or attachment that's laced with poisonous source code. The hacker will gain access to the computer if the person clicks on the poisoned link or downloads the attachment.
In this case, Richardson says companies may turn over the IP address, email addresses included in the message, or the body of the email itself. She argues that additional limitations on the type of cyber threat data companies can share with the government need to be written into the text of CISPA.
"Who knows what companies will determine to be relevant to a spearphishing attack? Maybe it won't include ones and zeroes, maybe it will include the email," she said.