Congress nudged by NSA nominee to revive CISPA as intelligence reforms take shape
The NSA chief-in-waiting's testimony to Congress may be enough to inspire lawmakers to revive old cybersecurity legislation, which would indemnify Silicon Valley technology giants from sharing their users' data with the government.
Fixing something often breaks something else. And that often applies to government, too.
In efforts to reform the U.S. National Security Agency following the leaks by whistleblower Edward Snowden, the Obama administration's nominee to take on the troubled intelligence agency, Vice Admiral Michael Rogers, may have given lawmakers enough justification for rewriting provocative draft cybersecurity legislation that previously had the Internet up in arms.
"I believe to be successful, we ultimately have to provide the corporate partners that we would share information with some level of liability protection." — Vice Admiral Michael Rogers, March 2014
While lawmakers have for the past two years attempted to pass through Congress numerous cybersecurity bills, the White House was forced to step in with an executive order progressing the nation's cyber-defense capabilities.
But members of the Senate Intelligence Committee, who have been working on similar legislation, said this week that they were "very close" to finalizing a "critical" cybersecurity bill. And thanks to a new round of rhetoric from the highly decorated NSA nominee, the lawmakers now have further weight to support the idea of private industry data-sharing protections, reminiscent of the Cyber Intelligence Sharing and Protection Act (CISPA).
In his written testimony [PDF], Rogers suggested a "two-way" approach of "real-time sharing of cyber threat information" that is consistent with the "protections of U.S. person privacy and civil liberties."
He answered later into his advanced copy of questions:
"The information provided to the government should be limited to that which is necessary for the government to understand or take action to counter a cyber threat and to which all appropriate mechanisms have been applied to protect the privacy and civil liberties of US persons."
At a confirmation hearing on Tuesday, Rogers said that while cybersecurity legislation was a "step in the right direction," he highlighted that information sharing between private companies — such as Silicon Valley giants — would be, "in the long run… probably the right answer."
Such measures were the centrepiece of the controversial CISPA bill, which allowed companies — including software firms, social networks, and other technology industry giants — to share customer and user data with the government with legal indemnity and protections.
Under previous incarnations of CISPA, this meant a company like Facebook, Twitter, Google, or any other technology or telecoms company, including cell service providers, would be allowed to hand over vast amounts of data to the U.S. government and its law enforcement — for whatever purpose the feds deem necessary — and face no legal reprisals.
CISPA was highly opposed by privacy advocates and civil liberties groups, which described the bill as a "privacy killer" and "dangerously vague," yet it was supported widely by Silicon Valley and other technology firms.
Opponents of CISPA — from Web inventor Sir Tim Berners-Lee to the American Civil Liberties Union, Firefox-maker Mozilla to and Reporters Without Borders — warned that the Act may be in breach of the Fourth Amendment. In contrast, the bill received strong support from AT&T, Facebook, IBM, Intel, Oracle, Symantec, Verizon, and so on. (Although Google never publicly stated its position on the draft CISPA bill, it opposed the controversial copyright-protection bill Stop Online Piracy Act publicly on its main U.S. search page.)
But thanks to an amendment, if the bill became law, the companies trusted by customers to hold onto their data — codified into site-wide privacy policies — would not have been legally allowed to promise to protect a user's privacy.
That said, it wasn't enough to save the bill.
CISPA eventually crumbled on the Senate floor after a failed vote, with Sen. Jay Rockefeller (DWV), chairman of the Senate Commerce Committee, citing "insufficient" privacy protections. The White House previously said the President would veto the bill should it pass to his desk.
Tired of waiting for a Congress at loggerheads to come up with a legislative solution, President Obama signed an executive order into law in February 2013 that laid the groundwork for data sharing between companies operating critical national infrastructure with the government, without unravelling privacy protections in place for the ordinary citizen.
Now, for the third time, with draft cybersecurity legislation on deck to be revealed in the coming weeks or months, fears that CISPA could return in Congress may be justified — particularly now that lawmakers have further written and oral evidence to support an industry intelligence-sharing model.
Washington insiders have known for more than a year that CISPA may come back in some way, shape, or form. Rogers' words aren't exactly new — they echo those of former Homeland Security Secretary Janet Napolitano, who just a month before the cybersecurity executive order was signed, warned that a U.S. "cyber 9/11" was imminent.
In a speech at the Wilson Center a Washington D.C. think tank focused on international affairs and development, Napolitano advocated the passing of legislation that would allow sharing of classified intelligence with private industry and vice versa.
The all-but-confirmed NSA chief-in-waiting is far from being a new kid on the Congressional block, with years of military and intelligence-gathering service under his belt, and the prime candidate to take over Gen. Keith Alexander after a tumultuous final year in the job following the global surveillance disclosures. It's no surprise that Rogers' views will hold heavy weight in the chambers.
Though he cannot yet directly influence policy, his thoughts and views going in as the White House's favorite to take on the NSA into the new surveillance age could set a dangerous trend for personal privacy.