Blog Post

FAQ: What you need to know about CISPA (Update: bill passes House)

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

The U.S. House of Representatives passed a major cyber-security bill that would change how companies like Facebook can share personal information. Privacy advocates are in uproar and the Obama Administration is threatening a veto. What’s going on?

UPDATE: The vote was originally scheduled for Friday but took place Thursday evening instead. It passed 248 to 168 on largely partisan lines. (Read our account here)

Here’s a plain English guide to the polices and politics driving the Cyber Intelligence Sharing and Protection Act:

So is this SOPA all over again?

Not really. The ill-fated Stop Online Piracy Act was about Hollywood trying to force tech companies to become copyright cops. CISPA, on its face, is about giving those same companies tools to confront cyber-attacks.

Isn’t that the same thing?

Critics said that an earlier version of CISPA was a stalking horse for the copyright industry — they worried that companies would dress up anti-piracy initiatives as security complaints. New language makes this unlikely and emphasizes that the bill is indeed about cyber-security.

Well, what cyber-security concerns are we talking about?

Major U.S. companies and government agencies have suffered hacking attacks in which intruders have stolen classified files, trade secrets or source code. The attackers include criminal gangs and state-sponsored (read: China) cyber espionage teams. Security experts warn that cyber-attacks lead to economic loss for companies and military vulnerabilities for the country.

Sounds scary. What does CISPA do to address this?

One of the bill’s main goals is to improve the sharing of information between companies and the government. In theory, it will be easier for the government to warn companies about security threats. In turn, the companies will have more ability to alert the government about suspicious activities or attacks.

So why do we need a law new for this?

CISPA wants to update existing laws like the National Security Act of 1947 to require authorities to share information about cyber-attacks as well as conventional military threats. There are also laws like the Wiretap Act and the Electronic Communications Privacy Act that limit what private companies can do with information about their customers. CISPA would help companies avoid getting sued under those laws when they share information about cyber-security.

Sounds reasonable. Everyone’s got to do their part to prevent a cyber-attack, right?

The problem, as you may have guessed, is that CISPA may be a lot broader than what is needed to get the job done. Critics worry that companies will be cavalier about passing data around if they don’t have to fear privacy lawsuits. Companies like Facebook, Amazon (s amzn), Google (s goog) and Netflix (s nflx) (many of which are supporting CISPA) are facing dozens of privacy-related lawsuits — CISPA might be a way to sidestep some of these in the future. Also, the government could invoke CISPA as a pretext to override civil liberties. From this perspective, CISPA is not so much SOPA but instead a new form of the Patriot Act.

Uh, oh. Is the law actually going to pass?

The bill passed the House amidst Democratic grumbling. Politico reports that Sen. Joe Lieberman expects a Senate version will see floor time as soon as next month. This does not, of course, mean that the bill will become law anytime soon — the approach of the November election is likely to put Congress into its semi-annual state of paralysis. Also, there are competing bills from the White House and also from people like Lieberman who want stronger measures to protect infrastructure like dams and utilities.

What about the veto threat?

The White House issued a strong statement on Wednesdays that attacked CISPA for trampling privacy and civil liberties. It said the bill should include a provision obliging the government and companies to minimize the amount of personal data that passes between them. The statement stressed the “civilian nature of cyberspace” and warns of a veto. But veteran political types noted the veto threat contains a hedge — it says advisers would recommend a veto, not that the President will veto it.

Where can I learn more about all this?

The Electronic Frontier Foundation has its usual top-rate privacy analysis here. CNET’s Declan McCullagh has a worthy overview of the lobbying forces here and GigaOM’s Derrick Harris has a cool-headed look at the bill here. And the non-partisan Congressional Research Service has the bill and a summary here.

2 Responses to “FAQ: What you need to know about CISPA (Update: bill passes House)”

  1. Henry Massingale

    The problem is not Facebook or Twitter, its is in fact that States sale your personal information for money, and within that format is you Social Security Card.
    Now what Government Officials did not see by becoming involved in Afghans Oxy Heroin Health Care Concept was the building block to Organized Crime. So I wish to welcome all Government officials, Judges, Police Officers all the way to the FBI and DEA, welcome to our world where you have been sold out for a dollar. Now just like what happened in Mexico will take place in the USA because they know where you live and what you do, what your children are doing….
    Welcome To The Matrix Revolution, where people like me try to help by sharing a Clear and Present Danger, here and now.

    I can show you how to protect your system, I will do it for free, consider this a riddle for you to solve.
    Build a 3 Part Petition,
    1st. Petition lets call it Window Pass word.
    59445 and $%@!( EERTE

    Then you enter into;
    2nd Petition sign in and lets call it BIOS

    3rd Petition, lets call it MS-DOS


    In a 3 part petition if a hacker fails to enter the right codes of the 3 different formatted forums the system goes back to Windows Petition #1, and then they could have as little as 10 seconds to re-enter into the 3 different pass word protected system.
    Even with the hackers box interfaced with BOTS, the system is not fast enough to enter all the codes correct. Also the fail safe is a notification of a failed attempts entered pass words. Then your tracing system has time to track this hacker with simple codes even such as java scripts. Now do not tell me I can not track hackers by java, I assure you I can.
    sin., Henry Massingale