CISPA would let companies legally hack, says CDT
Broadly-written provisions within the re-introduced Cyber Intelligence Sharing and Protection Act would place too much power within companies sharing cyber threat information with the government and within the federal government, privacy advocates from the Center for Democracy & Technology said during an April 3 press call.
Privacy advocates are gearing up for a campaign against the bill (H.R. 624), which the House approved in 2012, but which did not make it past the committee stage in the Senate. The House Intelligence Committee – Chairman Mike Rogers (R-Mich.) and Ranking Member Dutch Ruppersberger (D-Md.) are its sponsors – is set to markup the re-introduced bill the week of April 7, ahead of a "cyber week" of House floor action set for mid-April.
Greg Nojeim, CDT senior counsel, noted during presser that the liability protection provision in CISPA would shield companies participating in cyber threat information authorized by the bill from civil or criminal suits launched over "decisions made based on cyber threat information."
"What might those decisions be? What if one's decision made on the receipt of cyberthreat information…is to render the sending computer inoperative?" he said.
Leslie Harris, CDT president, said the bill as written also is too broad in the immunity it grants participating companies from federal laws. A CDT-proposed markup (.pdf) would specify the federal statues from which companies would be excluded for the purposes of cyber threat information sharing, such as the anti-trust laws, the Electronic Communications Privacy Act and the Wiretap Act.
Without specify of which laws would be exempt, "we don't even know what we're granting immunity from," Harris said.
CDT officials also say CISPA is overly broad in the information companies could share with the government. "It's more than [threat] signatures that people want to share…They want to share information about peaks in traffic, about particular ports being used for large quantities of traffic," Nojeim said.
CISPA should include language that the Senate Homeland Security and Governmental Affairs Committee approved in 2012 that would require the Homeland Security Department privacy office to lead an administrative process setting rules for minimization, Nojeim said. Writing detailed minimization rules directly into legislation would too large a challenge and would require legislation to update, he added.
Secondary uses of cyber threat information – government utilization of data for purposes other than it was intended – is also a problem, CDT officials said. The bill would allow secondary use for national security purposes, an exception that would turn into "most anything that an intelligence agency thinks might be related to national security," Nojeim said. CISPA would risk letting cyber threat information sharing turn into a backdoor wiretap, he said.
Some secondary uses are permissible, Nojeim said. CDT agrees that a law enforcement exception should exist, albeit in a narrower form than currently written into CISPA. The bill would allow a secondary purpose "for the protection of individuals from the danger of death or serious bodily harm" and for the investigation and prosecution of crimes involving those matters; CDT says the exception should be only for when there is "imminent danger," rather than just "danger."
The fact that the bill would allow companies to share with agencies besides DHS also came in for criticism. "One of the problems with the legislation is that the companies chose their dance partners," Nojeim said, reiterating CDT concern that agencies would share directly with the National Security Agency.
CISPA backers reintroduce bill; privacy advocates quick to reiterate criticism House Oversight and Government Reform approves FISMA amendments act
Draft House Judiciary bill would toughen CFFA