Failed twice, revived again: CISPA returns despite concerns over privacy, data sharing

Privacy experts warned of catastrophic privacy invasions by the U.S. government, but the cybersecurity and data-sharing bill that just won't die has been revived once again by the Senate.
Written by Zack Whittaker, Contributor
Image: CNET/CBS Interactive

Nuked twice, third time's the winner? With more lives than the average cat, it's the controversial bill that just won't die.

The re-branded bill, dubbed Cybersecurity Information Sharing Act of 2014 by Sen. Dianne Feinstein (D-CA) and Sen. Saxby Chambliss (R-GA), bears all the hallmarks of what we previously knew as "CISPA," just with a letter "P" missing — for "Protection," no less, which some argued was in name only.

In a statement on Wednesday, Feinstein and Chambliss introduced the new cybersecurity and data-sharing bill that will allow:

"...companies to monitor their computer networks for cyber attacks, promotes sharing of cyber threat information and provides liability for companies who share that information."

Which isn't so far removed from what CISPA previously was.

We all knew that new cybersecurity legislation was coming. Both senators have been working on this new draft since October 2013, when they announced the bi-partisan bill was in the works.

The bill is currently in "discussion" draft and aims to garner feedback from private industry groups and the executive branch for later consideration.

But privacy advocates and legal experts were highly critical of the bill, calling it a "zombie bill" by one group, and a "step back," according to American Civil Liberties Union, speaking to the Washington Post earlier in the year.

Feinstein has been hellbent on the issue and notion of cybersecurity data sharing —even after the Edward Snowden leaks, and has publicly been outspoken of the whistleblower while trumpeting the work of the National Security Agency — whose work has been already called into question by a number of federal courts and secret surveillance hearings, as well as international bodies alike.

As a recap, CISPA — or any similarly named or like-minded bill — is a friend of private industry, Silicon Valley, and Internet companies. 

It is, however, not a friend of the average user of any social network, Internet or email provider, or anyone with landline or cellphone service.

CISPA would have allowed Silicon Valley giants, like Facebook, Twitter, Google — or any other technology or telecoms company, including cell service providers — to hand over threat-related data and customer data to the U.S. government and its law enforcement, in efforts to protect cyber-attacks and patch security vulnerabilities.

Companies would be immune from criminal or civil prosecution as a result. The "P" in CISPA stood for "Protection," but as it turns out it was for the companies, and not their customers or users.

The upshot is that the U.S. government, including the Dept. of Homeland Security and the National Security Agency, will be allowed under the law to share threat data with the private industry. The hope is that such a move will allow the prevention of attacks and data breaches before they happen.

But Feinstein and Chambliss' new draft gives companies a far greater scope of latitude to share customer and threat information in real-time with anyone from state troopers to the federal government, according to civil liberties experts.

It's little surprise to many that the bill has reared its ugly head again.

In recent weeks and months, former and incumbent senior Obama administration officials have trumpeted the idea of cybersecurity and data-sharing between government and the private sector.

That's in spite of the White House previously saying the President would veto such a bill should it pass to his desk.

Tired of waiting for a Congress at loggerheads to come up with a legislative solution, President Obama signed an executive order into law in February 2013 that laid the groundwork for data sharing between companies operating critical national infrastructure with the government, without unravelling privacy protections in place for the ordinary citizen.

Former Homeland Security chief Janet Napolitano warned of a "cyber-9/11" if cyber-threat data couldn't be shared, months before Obama's executive order.

And, at the new National Security Agency director's confirmation hearing, Vice Admiral Michael Rogers offered lawmakers a similar line of thinking to make the nation safer. Suggesting a two-way flow of sharing real-time cyber threat information, he added: "I believe to be successful, we ultimately have to provide the corporate partners that we would share information with some level of liability protection."

Security industry experts at a panel in New York City last Thursday agreed with remarks, calling such laws a "step in the right direction."

Right now, it's unclear exactly how far Feinstein and Chambliss' new Cybersecurity Information Sharing Act will go in Congress.

But rest assured. If today's statement is anything to go by, listen carefully to the pipes of the Internet. Because you can bet your bottom dollar the roaring screams of anger will surface soon enough.

Editorial standards