What is CISPA, and Why Should You Care?26/04/2013 02:14
A controversial cyber-security bill known as CISPA is once again in the news. The House approved the bill last week, and it now moves to the Senate, but opponents of the measure are not going down without a fight. Today, in fact, hacker collective Anonymous is calling on websites to go dark in protest of CISPA as they did last year against the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA).
But what is CISPA and why is it creating such a ruckus? Why is it being compared to SOPA and PIPA? Let's break it down.
What is CISPA? CISPA stands for Cyber Intelligence Sharing and Protection Act (CISPA).
What does it do? CISPA would allow for voluntary information sharing between private companies and the government in the event of a cyber attack. If the government detects a cyber attack that might take down Facebook or Google, for example, they could notify those companies. At the same time, Facebook or Google could inform the feds if they notice unusual activity on their networks that might suggest a cyber attack.
Sounds OK. What's the problem? Backers argue that CISPA is necessary to protect the U.S. against cyber attacks from countries like China and Iran. But opponents said that it would allow companies to easily hand over users' private information to the government thanks to a liability clause. This, according to the Electronic Frontier Foundation, "essentially means CISPA would override the relevant provisions in all other laws—including privacy laws."
Is that true? The bill's sponsors, Reps. Mike Rogers and Dutch Ruppersberger, say no. But amidst backlash over the vague wording in the bill, the congressmen introduced an amendment that would require the government to anonymize any data it turns over to a private company.
Did that do the trick? Not exactly. The White House has threatened to veto CISPA, in part because it does not require private companies to do the same and anonymize the data they hand over to the government. That would impose an onerous burden on private companies and perhaps deter them from participating in this voluntary program, backers claim.
What type of personal information are we talking about? According to the EFF, "CISPA is written broadly enough to permit your communications service providers to share your emails and text messages with the government, or your cloud storage company could share your stored files." Bill sponsors, however, argued that CISPA is needed to keep that data safe, pointing to foreign hackers who have hit U.S. companies in an effort to steal information. The ability to share data about incoming cyber attacks as quick as possible could thwart the improper use of that data, they said.
What's the difference between CISPA and SOPA/PIPA? SOPA and PIPA targeted websites that trafficked in counterfeit goods, from fake purses to software. The bills would have allowed for copyright owners to file a complaint against offending websites and have them pulled from the Web. SOPA/PIPA were aimed at "rogue" overseas sites, but it prompted concern that legitimate websites here in the U.S. would be taken offline. Major firms like Google and Facebook expressed concern with the bills, which were ultimately tabled after a Jan. 2012 Internet blackout day.
Is the same thing happening with today's CISPA blackout? The idea is the same, but the support is a bit more tepid. The list of sites going dark in protest of CISPA is not exactly a who's who of major tech firms. When CISPA was first introduced, Facebook actually voiced its support, though it backed off a bit this year.
What changed? With SOPA and PIPA, tech firms were concerned about having their websites taken offline for no reason, which would have cost them millions of dollars. So there was a big incentive to see it defeated. CISPA, however, goes after cyber attacks - which also cost those firms money. If there's a way to get a heads up about a cyber attack, these companies are probably going to take it. The backlash against CISPA from the privacy/consumer groups means the support for CISPA is somewhat muted, but there are some big names on the bill's list of supporters, including AT&T, Comcast, HP, IBM, Intel, Time Warner Cable, and Verizon.
So why take it up again? The bill sponsors claim that with the increased number of attacks from countries like China, the ability to stop them before they happen is imperative. Rogers and Ruppersberger admitted that as originally crafted, CISPA would likely not pass the Senate or get President Obama's signature. So they have introduced a number of amendments - in committee and on the House floor last week - to calm some of those fears.
What type of amendments? More than a dozen proposals were approved, but among the highlights: companies can only use information they receive for cyber-security purposes, not to help their business; the feds can't hold on to shared data and use it for "national security purposes"; clarification that CISPA does not authorize hacking; and a rule that incoming cyber data will be handled by the Homeland Security Department and the Justice Department.
What's next? CISPA now moves to the Senate, where senators can consider the bill as crafted, or write their own cyber-security legislation. If the Senate passes a bill and it differs at all from the House version, the two sides must hash it out together "in conference." But the White House also needs to be on board.
So there you go; a quick primer on CISPA. If you have any other questions, let us know in the comments.