Congress nudged by NSA nominee to revive CISPA as intelligence reforms take shape

Congress nudged by NSA nominee to revive CISPA as intelligence reforms take shape

Summary: The NSA chief-in-waiting's testimony to Congress may be enough to inspire lawmakers to revive old cybersecurity legislation, which would indemnify Silicon Valley technology giants from sharing their users' data with the government.

NSA's headquarters in Fort Meade at night. (Image: Trevor Paglen/Wikimedia Commons, CC)

Fixing something often breaks something else. And that often applies to government, too.

In efforts to reform the U.S. National Security Agency following the leaks by whistleblower Edward Snowden, the Obama administration's nominee to take on the troubled intelligence agency, Vice Admiral Michael Rogers, may have given lawmakers enough justification for rewriting provocative draft cybersecurity legislation that previously had the Internet up in arms. 

"I believe to be successful, we ultimately have to provide the corporate partners that we would share information with some level of liability protection." — Vice Admiral Michael Rogers, March 2014

While lawmakers have for the past two years attempted to pass through Congress numerous cybersecurity bills, the White House was forced to step in with an executive order progressing the nation's cyber-defense capabilities.

But members of the Senate Intelligence Committee, who have been working on similar legislation, said this week that they were "very close" to finalizing a "critical" cybersecurity bill. And thanks to a new round of rhetoric from the highly decorated NSA nominee, the lawmakers now have further weight to support the idea of private industry data-sharing protections, reminiscent of the Cyber Intelligence Sharing and Protection Act (CISPA).

In his written testimony [PDF], Rogers suggested a "two-way" approach of "real-time sharing of cyber threat information" that is consistent with the "protections of U.S. person privacy and civil liberties."

He answered later into his advanced copy of questions:

"The information provided to the government should be limited to that which is necessary for the government to understand or take action to counter a cyber threat and to which all appropriate mechanisms have been applied to protect the privacy and civil liberties of US persons."

At a confirmation hearing on Tuesday, Rogers said that while cybersecurity legislation was a "step in the right direction," he highlighted that information sharing between private companies — such as Silicon Valley giants — would be, "in the long run… probably the right answer."

Such measures were the centrepiece of the controversial CISPA bill, which allowed companies — including software firms, social networks, and other technology industry giants — to share customer and user data with the government with legal indemnity and protections.

Under previous incarnations of CISPA, this meant a company like Facebook, Twitter, Google, or any other technology or telecoms company, including cell service providers, would be allowed to hand over vast amounts of data to the U.S. government and its law enforcement — for whatever purpose the feds deem necessary — and face no legal reprisals.

CISPA was highly opposed by privacy advocates and civil liberties groups, which described the bill as a "privacy killer" and "dangerously vague," yet it was supported widely by Silicon Valley and other technology firms.

Opponents of CISPA — from Web inventor Sir Tim Berners-Lee to the American Civil Liberties Union, Firefox-maker Mozilla to and Reporters Without Borders — warned that the Act may be in breach of the Fourth Amendment. In contrast, the bill received strong support from AT&T, Facebook, IBM, Intel, Oracle, Symantec, Verizon, and so on. (Although Google never publicly stated its position on the draft CISPA bill, it opposed the controversial copyright-protection bill Stop Online Piracy Act publicly on its main U.S. search page.)

But thanks to an amendment, if the bill became law, the companies trusted by customers to hold onto their data — codified into site-wide privacy policies — would not have been legally allowed to promise to protect a user's privacy.

That said, it wasn't enough to save the bill. 

CISPA eventually crumbled on the Senate floor after a failed vote, with Sen. Jay Rockefeller (DWV), chairman of the Senate Commerce Committee, citing "insufficient" privacy protections. The White House previously said the President would veto the bill should it pass to his desk.

Tired of waiting for a Congress at loggerheads to come up with a legislative solution, President Obama signed an executive order into law in February 2013 that laid the groundwork for data sharing between companies operating critical national infrastructure with the government, without unravelling privacy protections in place for the ordinary citizen.

Then last month, the White House unveiled the Cybersecurity Framework in a bid to better engage with Silicon Valley in particular to stave off attacks against critical national infrastructure and enhance their own cybersecurity.

Now, for the third time, with draft cybersecurity legislation on deck to be revealed in the coming weeks or months, fears that CISPA could return in Congress may be justified — particularly now that lawmakers have further written and oral evidence to support an industry intelligence-sharing model.

Washington insiders have known for more than a year that CISPA may come back in some way, shape, or form. Rogers' words aren't exactly new — they echo those of former Homeland Security Secretary Janet Napolitano, who just a month before the cybersecurity executive order was signed, warned that a U.S. "cyber 9/11" was imminent

In a speech at the Wilson Center a Washington D.C. think tank focused on international affairs and development, Napolitano advocated the passing of legislation that would allow sharing of classified intelligence with private industry and vice versa.

The all-but-confirmed NSA chief-in-waiting is far from being a new kid on the Congressional block, with years of military and intelligence-gathering service under his belt, and the prime candidate to take over Gen. Keith Alexander after a tumultuous final year in the job following the global surveillance disclosures. It's no surprise that Rogers' views will hold heavy weight in the chambers. 

Though he cannot yet directly influence policy, his thoughts and views going in as the White House's favorite to take on the NSA into the new surveillance age could set a dangerous trend for personal privacy. 

Topics: Security, Government US, Legal, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Yeah right,

    Just what the rest of the world needs, less privacy protection.
    • Privacy oriented individuals will move to sites hosted outside the US.

      That goes for both US users and foreign users. There are a number of European countries that have higher privacy standards than the US.
      • Doesn't necessarily help...

        As we have seen, the NSA has no qualms forcing companies to break European law by illegally transferring data to the US and/or violating safe harbor provisions on European data on US servers, all without informing the individuals concerned. Plus they hare happily hacking nodes and other telecommunication facilities from within Europe.
    • Old School Thinking...

      "He that would make his own liberty secure, must guard even his enemy from oppression; for if he violates this duty, he establishes a precedent that will reach to himself."
      -= Dissertation on First Principles of Government, December 23, 1791 =- Thomas Paine
  • First there was the Military-Industrial Complex which protects defense

    firms from being sued by citizens of the United States. (For example, faulty wiring on the F-16 Falcon jet fighter contributed to the deaths of several pilots. The families of those pilots could not sue General Dynamics for loss of life damages. BTW, this case went to the Supreme Court, if I'm not mistaken.)

    Now, the Government is proposing a similar arrangement for tech firms - perhaps the beginnings of a Cybersecurity-Industrial Complex.

    For example, persons who incur harm or damages thru actions by these tech firms and government intelligence agencies would be unable to sue those tech firms (or the government) if the government requested information from those tech firms which later negatively impacted that person's life.

    Personally, I have been amazed by the integrity of the tech firms to date for refusing to back this sort of legislation. The leaders of Apple, Microsoft, Facebook, Twitter, Google have shown far more courage and integrity than the corporations that form the the basis for our current military-industrial complex.
  • Good luck in the "land of the free"

    Passing such legislation will only hasten the rush away from the US as a trustworthy place to do business. Web companies are already feeling the pain from the NSA revelations, and things can only get worse if something like this is passed.

    When Latin America decides to no longer route its Internet traffic through the US because of the risks to it; when businesses are fearful of the back doors built into US tech products; when one of the most trusted companies in Internet security appears to have accepted $10m from the NSA to weaken that security, the rest of the world learns some useful lessons.

    As for the inevitable "but everyone does it" response to this - do you really think that any other country is in the enviable position that the US (up to now) has held in the online space? Do you really think that Russia and China are appropriate countries with which to compare your alleged freedoms? Do you really think that nothing can or should be done about this hijacking of democracy and freedom by a few?
  • Actually...

    ...Adm Rogers is already NSA Director as that job does not require Senate confirmation (should, but doesn't). The confirmation hearings are for his nomination to be the head of the Cyberwarfare Command.
    John L. Ries
  • Could evenutally be the death of US IT industry

    My company is already losing foreign business because of the concerns about US snoops and collusion by American companies. There is very little trust in some of those companies named in the article that they are just trojans for the US spy machine.

    America no longer has a lock on IT innovation, a lot of R&D and engineering has already been farmed out to Asia so it would only take some strategic investments by China, India or Korea to step in and take the crown hewels away from the US companies.
    terry flores
    • In a free market

      We should see the need for the US to make and retain loyal talent. You come across suggesting only the US is full of snakes and every other country is pure. In which case, why are you still here?
  • It's no surprise that Rogers' views will hold heavy weight in the chambers

    Well, not really, Rogers is now being seen as a lobbyist preaching the NSA and administration's increasingly desperate misinformation, and comprehensively painting himself into his own little farce corner... even the GOP loonytoons are calling him out, and amazingly, are actually correct in their criticisms. The fact the administration is backing him is a pathetic reflection on their attitude to their citizen's rights...
  • Don't blame Rogers; he is just following Our Dear And Glorious Leader

    Dear And Glorious Leader Barack knows what is best for us and will not let obsolete concepts like "privacy", "Bill of Rights", "U.S. Constitution" (except for Article II), interfere with Progressivism.
  • Welcome to the era of Big Brother

    That about sums it up.
  • Share you're own data

    But what CISPA appears to be trying to indemnify is the practice of sharing other people's data.
    John L. Ries
  • These

    creepy freaks just won't stop, no matter how loud and clear the message that is sent to them, they just want to control every nitpicking detail of our lives.
    Well, as history shows, the bigger the control freak the bigger the smashing fall at the end.
    Let 'em have their dominating control, I doubt it will last real long....and I'd be willing to bet the end will be very messy indeed.
  • Intel Overthrows Gov

    My record of service to this corrupt and evil nation should be a wake up call to all young men and women who are lured into battle to defend the enemy of mankind (the United States of America) because ...The soldier may become an experimental dog .

    Overthrow of government by intelligence community:

    Sosbee's Affidavits, 2007 & 2014: