By: Brian Bayne
The issue of cyber security is quickly becoming a major talking point as more and more people recognize its importance in preserving Unites States’ national security. The need to protect the public and private sectors from cyber threats was even mentioned in this year’s State of the Union Address. However, the way the United States should address the threat of cyber attacks has been very controversial with many people criticizing the proposed methods for comprising personal privacy.
One of the most controversial proposals to address cyber security is the Cyber Intelligence Sharing and Protection Act (CISPA). CISPA was first introduced in the 112th Congress by Congressman Mike Rogers on November 30, 2011. While the bill passed through the house by a 248-168 vote in April 2012, it died in the Senate where it was never debated after being referred to the Select Committee on Intelligence. One of the reasons the bill never saw the light of day in the Senate was because President Obama threatened to veto the bill. The reason for this is because the president believed the bill did not effectively address the nation’s cyber security needs and unduly infringed upon citizens’ personal privacy. However, while many believed that CISPA would die with the 112th Congress, Mike Rogers reintroduced the bill in the 113th Congress on February 13, 2013.
In order to understand why CISPA is controversial it is important to understand what exactly CISPA proposes. CISPA would amend the National Security Act of 1947 so that it would address cyber attacks through provisions concerning cyber threat intelligence and information sharing. The bill first defines what cyber intelligence is and then requires the Director of National Intelligence to establish procedures and encourage the sharing of cyber intelligence among the government and private sector entities. The bill then permits approximately 600 federal agencies to use the information gathered for four uses: (1) cyber security purposes including ensuring the integrity, confidentiality, availability, or safeguarding of a system or network; (2) to investigate cyber security crimes; (3) to protect individuals from danger of death or serious bodily harm including protection of minors from child pornography, sexual assault, and human trafficking; and (4) to protect United States national security. The bill also grants broad protections from liability to private companies for abusing or mishandling personal information when providing the government with data it collects as potential cyber intelligence. It is the combination of the broad amount of data that CISPA allows the government to collect from private entities with the vagueness of when the government may prosecute individuals based on the information gathered that makes CISPA so controversial.
While many understand the importance of protecting government and private enterprises from cyber attacks, they also believe the CISPA can be too easily abused and will be used as a tool to prosecute individuals for crimes other than cyber attacks. Some have drawn comparisons between CISPA and the PATRIOT Act noting that the PATRIOT Act was passed as a tool to combat terrorism, but due to its vague language, has been expanded and used as a tool to monitor individuals and prosecute them for other crimes. The fact that CISPA allows private data to be reported to federal agencies and used to prosecute those who may commit bodily harm to others, as well as those who fall into the vague category of threat to national security, suggests that CISPA may be used in a much broader manner, much like the Patriot Act. However, while CISPA is perhaps too broad, that does not mean that no cyber security bill should be passed. Because of the seriousness of potential cyber attacks to the US economy and national security, a better solution should be to reform CISPA and fix the language that makes the bill so over reaching.
There are a number of ways that CISPA could be reformed to make a better tool for fighting the threat of cyber attacks. One way to reform CISPA is to reduce the invasion of personal privacy by requiring private companies to remove personal identifiable information from the data they share with government agencies. Since such personal information is not related to cyber security, CISPA’s stated goal of combating cyber attacks would not be reduced, but the risk to an individual’s privacy would be greatly reduced. Another potential revision would be to limit the federal agencies that initially receive data. If only non-law enforcement agencies initially received the shared information, and only pertinent data was passed to law enforcement agencies, then CISPA might not have the same risks of use for non cyber security purposes. Finally, the broad immunity granted to private entities for mishandling data in CISPA should be removed. If private entitles were held accountable for transmitting excess personal information to federal agencies, then it is less likely that they would forward non-cyber security related data. Cyber Security is and will continue to be a major part of ensuring American’s national security, but it is important to balance this need with an individual’s right to privacy.