Last night, the White House issued its Statement of Administration Policy (SAP) on H.R. 3523, the Cyber Intelligence Sharing and Protection Act, commonly called CISPA. Unfortunately, the SAP does not reflect the changes that the bill’s authors – Republican Representative Mike Rogers of Michigan and Democratic Representative Dutch Ruppersberger of Maryland – had agreed to include after long and productive discussions with privacy groups, especially the Center for Democracy and Technology (CDT). As a result, there are gaps in the White House analysis, and a lot of misguided criticism of the bill.
It’s also important to note that the White House focuses on what it wishes were in the bill. The Rogers-Ruppersberger bill focuses on the vital component of cyber threat information sharing. Yet, the White House zeroes in on its concern for critical infrastructure protections. There’s one problem: critical infrastructure isn’t part of the bipartisan CISPA and never was intended to be. Critical infrastructure is covered in different House and Senate legislation, and it is on those bills where the Administration should place that focus.
That said, the White House opens its argument with a very positive statement:
“The sharing of information must be conducted in a manner that preserves Americans' privacy, data confidentiality, and civil liberties and recognizes the civilian nature of cyberspace. Cybersecurity and privacy are not mutually exclusive.”
The tech sector absolutely agrees with this. That’s why, even before this legislation went to committee in December, we engaged the Administration, members of Congress, and key stakeholders to strike that balance. Those efforts became the focus of much public attention these past two weeks, as we worked very closely with the CDT, Rep. Rogers, and Rep. Ruppersberger to find common ground on privacy provisions. The end result of those talks was an agreement that would have made, according to CDT, “several important privacy improvements.”
Here is a look at the rest of the White House claims, versus the reality of what the House is going to consider:
CLAIM: “[I]nformation sharing, while an essential component of comprehensive legislation, is not alone enough to protect the Nation's core critical infrastructure from cyber threats.”
- REALITY: Cyber threat information sharing is the key component of any strengthened cyber security defense. In testimony in March, General Keith Alexander, the commander of the U.S. Cyber Command and the director of the National Security Agency (NSA), put it clearly:
“Industry partners see signatures that government doesn't see, and government sees signatures or malicious software, exploitations, and attacks into the country that industry doesn't see. The information sharing and the ability to do that is key to stopping that.”
“In cyberspace, what we're saying is, armed with the signatures, the malicious software, those things that help us understand that an attack is going on, we believe that industry is the right ones to tell the government that they see that and get us to respond to it.
“So I just want to clarify, because I do not believe we want NSA or Cyber Command, or the military inside our networks watching it. We think industry can do that, and we think that's the right first step.” (Senate Armed Services Committee, 3/27/2012)
CLAIM: “[T]he bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information.”
- REALITY: The bill requires protections of personally identifiable information. A company that shares information voluntarily with the federal government can place tough restrictions on the data, including who can use the information and how it is used. Irrelevant user experience and history, transactions, and personal information would be shielded. This is spelled out plainly in the legislation (section 1104).
In addition, as part of the changes that CDT and the bill’s sponsors worked out, the protections would be spelled out more clearly. The change would result in strict limitations on the federal government’s use of shared information for five explicit purposes – cybersecurity, prosecution of cybercrime, protection of people from death or serious bodily harm, protection of kids from child porn, and protection of our national security (read: stopping terrorist attacks).
CLAIM: “Moreover, such sharing should be accomplished in a way that permits appropriate sharing within the Government without undue restrictions imposed by private sector companies that share information.”
- REALITY: By calling for no limitations on how shared data are used, the White House is directly contradicting its stated desire to protect personally identifiable information. Let’s be clear: the bill would not allow for unfettered use of shared information. Again, private companies that share cyber threat information with the government can place very restrictive limitations on how it is used, and with whom it is shared. User experience and history, transactions, and personal information would be better safeguarded, providing more individual security online – not jeopardizing it.
CLAIM: “Without clear legal protections and independent oversight, information sharing legislation will undermine the public's trust in the Government as well as in the Internet by undermining fundamental privacy, confidentiality, civil liberties, and consumer protections.”
- REALITY: CISPA is not SOPA. Privacy expert after privacy expert has lined up and made that case clear. SOPA would have fundamentally altered the relationship between Internet users and service providers by focusing on protecting copyrighted works of entertainment, such as movies and music. CISPA focuses on protecting ordinary consumers who utilize the Internet to improve their everyday lives. The bill has the clear intent to enable only the sharing of cyber threat information between the private sector and government, things like indicators of compromise, hostile IP addresses, and updated IDS rules. Personally identifiable information would be shielded and personal liberties are protected. To reinforce that fact, the Inspector General of the Intelligence Community would be required to issue an annual report reviewing the use of cybersecurity threat information and develop metrics to determine the any unintended impact on privacy and civil liberties.
CLAIM: Finally, the White House renews its call for the federal government to regulate cybersecurity. “The Administration's proposal also provided authority for the Federal Government to ensure that the Nation's critical infrastructure operators are taking the steps necessary to protect the American people... Voluntary measures alone are insufficient responses to the growing danger of cyber threats.”
- REALITY: We all agree that we need to protect critical infrastructure. But this won’t be accomplished through the conventional, uncoordinated lineup of siloed analysts, regulations, and products. Such an approach would be focused on the last intrusion and not adaptable to meet the challenge of the next one. We need to leverage an improved system that is fast and flexible, driven by the power of multi-source intelligence, and led by the private sector. Given the rapid innovation in the tech sector, government-mandated, static solutions would prove insufficient. Government shouldn’t be prescribing solutions, but requiring results.
In our online world, cybersecurity is personal security. The stronger, faster, and more flexible we can make our cybersecurity system, the safer individuals, businesses, and the government will be online. Cybercrime targets individual information. Personal information – names, addresses, Social Security numbers, credit card info, and so on – represented 95 percent of all the data compromised by cyber intrusion last year.
Consider the everyday applications that we all rely on -- online banking, social networking, picture sharing, health care systems access, music and movies, real-time weather and traffic reports. Cybersecurity helps to protect the integrity and access to those systems and applications. Without a strong defense, individuals and the sites we rely on are jeopardized.
We urge the House to approve CISPA, and to do so with the six privacy amendments offered that would further enhance the privacy protections in the legislation. And we urge the White House to continue to work with both sides of the aisle on a final package without delay.