While Americans marathoned House of Cards in their Snuggies, Representatives Mike Rogers and Dutch (née Charles Albert) Ruppersberger announced that they will reintroduce the Cyber Intelligence Sharing and Protection Act this week. According to some of the internet advocates who organized last year’s SOPA Blackout, this is a vile political move worthy of Francis Underwood. In their view, CISPA is “SOPA 2.0” — a privacy killer of an open internet. But is it really time to turn Google, Reddit, and Wikipedia dark and activate the cat signal?
CISPA is a proposed amendment to the National Security Act of 1947. It would make it easier for private companies and the government to share information related to “cyber threats.” This means that it would be easier for Facebook or Twitter or your Internet Service Provider to share your personal information with the CIA, NSA, and FBI. The companies could share your personal data, location, browser and search histories, emails, messages, and other sensitive information, so long as it is related to “cyber threats.” The “cyber threat intelligence” definition is very broad — currently any information “pertaining to a vulnerability of” a computer network would apply. The bill has no limits on how long the government can keep the data it collects. It would be difficult to keep the government from searching that data for reasons unrelated to national security. And the sponsors in the House have beaten back proposed oversight amendments, so feel free to panic about the Predator Drone hovering outside your window as you surf your way through 4chan.
The House passed CISPA last year, but it stalled in the Senate, which is working on its own bill. President Obama prefers the Senate bill and has threatened to veto CISPA. President Obama is reportedly considering a draft executive order to deal with cyber threats, but an executive order is a poor substitute for proper legislation.
Absent internet activism, there are reasons to believe that a bill closer to CISPA may win Obama’s signature.
First, America faces more cyber attacks. The Chinese spying on the New York Times, the Wall Street Journal, and Washington Post and the Super Bowl hacking of the Federal Reserve revealed real issues about computer security — and we found out about them all at once. These events are a concentrated dose of reality for policymakers, who describe us as “under siege” and at risk of a “Cyber-9/11.”
Second, the internet’s champions are not as united against CISPA as they were against SOPA. ProPublica has a fine table on this. Facebook and Microsoft, both of whom opposed SOPA, have written letters in support of CISPA. This is because the sharing goes both ways — Facebook would love to have more government intelligence as it privately defends itself from cyberattacks.
The public is ready to accept real cybersecurity legislation. We are threading computers and the internet throughout every aspect of our lives. We need them to work properly to power our homes, run our businesses, engage with our culture, and keep the country safe. We are aware of how vulnerable we are to computers that fail — whether because of bad weather, bad software, or bad guys. We get it.
But CISPA does not demand that companies take standard measures to secure their networks, or update their software, or use other cybersecurity strategies. Does increased surveillance have to be the first choice?
An advocate for the Digital Age, Michael Phillips is an associate at a Wall Street litigation boutique (though he is not your attorney and this piece does not constitute legal advice for you!). He has been called a “thick-haired man” by the New York Times.