Blog Post

It’s imperfect, but CISPA isn’t the devil in disguise

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

When it comes to outrage over the Cyber Intelligence Sharing and Protection Act of 2011, or CISPA, don’t believe the hype (not all of it, at least). The Electronic Frontier Foundation and hacktivist group Anonymous might have overblown the potential ramifications of the bill, but that doesn’t mean it’s well-written. CISPA still needs work to clear up what, exactly, it allows for, but strong congressional and industry support might make it a lot harder to stop than was the Stop Online Piracy Act of 2011, or SOPA, that created an online firestorm earlier this year.

The criticism that, by including a provision for the protection of intellectual property, CISPA is little more than a less-conspicuous form of the draconian SOPA bill seems misguided. CISPA is vague and unnecessarily broad, but it’s not SOPA. In fact, the very same Internet companies that were so adamantly opposed to SOPA might support CISPA. Facebook already does. So does outspoken SOPA critic Darrell Issa (R-CA). Here’s why.

  1. CISPA is actually good, in theory. The idea of sharing cybersecurity information between private companies and the government has merit, especially in a world of increased cyberattacks against organizations in both sectors. If you’re trying to discover patterns in attacks, more data is always better, and web sites are attacked constantly. That they also could have access to classified government data is particularly beneficial.
  2. CISPA doesn’t require service providers to do anything. SOPA all but forced service providers to monitor user behavior to the benefit of media companies (or to avoid being shut down by them), but CISPA only allows those providers to act in their own best interests. It’s unclear to me, at this point, why any company like Facebook, Google or Twitter would do anything other than obtain information on activity that directly affects the security of their platforms or their proprietary data.
  3. I’m not certain the inclusion of intellectual property protection was driven by ulterior motives. For one, CISPA actually reads as if private parties can only gather information relating to their own rights and property, which would mean ISPs can’t go about monitoring for copyright infringement because they don’t own any copyright. There’s a strong argument that the bill primarily targets cyberattacks aimed at stealing data or files from a company’s servers (CISPA co-author Mike Rogers (R-MI) said as much in a press conference yesterday), although existing cybersecurity law certainly target some of that activity.
But CISPA isn’t perfect. In fact, it’s vague to the point of being a problem, which is what’s driving concern over the bill. To me, CISPA doesn’t read like SOPA in disguise, but it doesn’t expressly deny that possibility either.

Probably the biggest problem is what a company is able to do to “protect” itself from such threats. As the EFF points out, CISPA allows companies to “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such protected entity.” It also grants companies immunity from lawsuits if they exercise their rights under the bill in good faith.

If the EFF is correct, companies could bypass existing laws regarding the monitoring of communications, claim good faith and — if they have a solid case — be free from liability. The EFF also talks a lot about CISPA allowing service providers to “block” sites, although it’s unclear what type of activity the bill actually allows in response to information gathered. Does it allow them to obtain information and take shutdown actions like those SOPA would allow, or just to react to information only within the bounds of what’s already legal?

It’s a little scary, then, that CISPA has such strong support in the House of Representatives. Whereas SOPA had only 23 co-sponsors, CISPA has 106, including Issa. That web companies such as Microsoft (s msft) and Facebook have signed off on it isn’t too promising, either. It likely will take some powerful voices to at least clear up the vagaries of the bill, but it’s hard to see where they’ll come from this time around.

Feature image courtesy of Rob Allday.

8 Responses to “It’s imperfect, but CISPA isn’t the devil in disguise”

  1. Appalled Citizen

    Literally ANY voice in support of this bill and bills like it are either voices from those who stand to gain something from it (i.e. Tech companies who will sell the information to the government) or pathetically misinformed individuals. The internet works fine the way it is now, without individuals knowing that there every move can and will be documented and sent to government officials. The level of absurdity would almost be hilarious if it wasn’t so horribly frightening and sad at the levels of comparison to an Orwellian dystopia. I’m so ashamed to be an American and share the same country as these corrupt co-sponsors and legislatures.

  2. hmlongco

    House Intelligence Committee is starting a Twitter campaign that says CISPA (the new SOPA) keeps government hands off internet. They’re lying.

    The bill defines “cyber threat intelligence” and “cybersecurity purpose” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”

    That’s intellectual property, with an IP. And while the bill itself does not have any provisions relating to blocking website access, it creates clear provisions for the government — and for private companies — to monitor and give data to Homeland Security.

    The people who already block and seize websites on behalf of the RIAA and MPAA.

    The “theft of government information” clause also provides for takedowns of “sensitive” information, such as that recently provided by Wikileaks, or other inconvenient or sensitive information that might be provided to sites by government watchdogs or whistleblowers.

    As is, it’s much, much, much too broad, and the fact the the government is broadcasting information that’s false-to-fact and ignoring the loopholes isn’t helping matters.


  3. It would seem we have to decide; does the threat of cyber attack on companies in anyway equal to the threat we face when we begin to chip away at one of the fundamental underpinnings of our democracy? To have lawmakers suggest that CISPA “just needs a little tweaking” should concern us all. It’s like Ben Franklin looking over and saying, “Whatcha think George?” “Ah, good enough”.

    • Derrick Harris

      Yes. What it needs is clarification on what types of data can be shared and for what purposes. What types of action can companies and the government take based on what they find. These are the things concerned citizens need to push for.

      It’s too broad and vague as is, but it doesn’t seem like demanding the bill be shelved altogether is going to work this time.

      • I don’t see the bill being shelved either, and the issue will not simply go away. We must make sure though that absolutely nothing is left to interpretation in those areas impacting our rights. If it’s vague in any manner we will be on that slippery slope.

  4. Dalamar

    It IS the devil in disguise. All loss of freedom is gradual, and really, we don’t have much left as it is with this burgeoning and inefficient government.

    As people just accept things without fighting it constantly, it’s only going to get worse.

  5. Lenticular Solace

    “The term ‘cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from–

    ‘(A) efforts to degrade, disrupt, or destroy such system or network; or

    ‘(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”

    How exactly do you propose that a ‘cybersecurity provider’ ensures the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protection of a system or network from efforts to degrade, disrupt, or destroy such system or network; or
    theft or misappropriation of private or government information, intellectual property, or personally identifiable information, if they don’t act on ‘intelligence’?

    What if a particular website or user hogs bandwidth and therefore degrades or disrupts your system or network? Do you do nothing or would you actively safeguard, protect and/or maintain the integrity of your system or network? If so, by what means? Would you limit access to the site or your network? Would you strip data or reroute access to a sub-tier network so as not to impact your other customers? Would you begin actively tracking the user’s browsing habits to make a determination at a later date? Before excepting new users would you check the shared history to see he’s a problem user? If he uses too much bandwidth do you put him on a more expensive plan? Can he be denied because self-protected cybersecurity provider ISP “A” shares threat level history with self-protected cybersecurity provider ISP “B” even if such history was a false alarm?

    They worded the bill so poorly to hide the fact that this information will be traded like currency in the same way that data is currency to entities like facebook and google.

    As for your point 2 regarding that providers aren’t required to do anything per CISPA, I would say that they most definitely must act if they wish to remain a self-protected cybersecurity provider so that they have access to shared intel.

    There is also this: ‘‘(1) IN GENERAL.—The Director of National
    Intelligence shall establish procedures to allow ele-
    ments of the intelligence community to share cyber threat intelligence with private-sector entities and encourage the sharing of such intelligence.”

    Will the Director of National Intelligence ENCOURAGE the Intelligence community and the Private sector equally? What form will this encouragement take? This is all just for starts.

    Lenticular Solace

    • Derrick Harris

      This is exactly the type of discussion we need to have in order to make legislation workable. It’s a bill that looks likely to pass and that has a defensible goal. Now, the trick is to clear up the ambiguities so it doesn’t lead to abuse. I wouldn’t call using too much bandwidth an *effort* to degrade in an effort to commit a crime, but you raise good points about how that info might be used.