On April 26, 2012, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA). According to the bill sponsors, CISPA is an essential update to the National Security Act of 1947 that adds provisions allowing for information about “cyber threats” to be shared between the government and private industry. The bill loosely defines “cyber threats” as potential vulnerabilities to government or private networks, including risks associated with efforts to disrupt those networks or steal intellectual property or personally identifiable information. Under CISPA, the government would act as a central information clearinghouse for cyber threat information collected across the country.
CISPA has been referred to by privacy alarmists as SOPA 2.0 (we all remember SOPA, right?), but such a characterization is lazy. Both bills are similar in that they are ultimately concerned with stopping illegal online activities; however, unlike SOPA, which was ostensibly aimed at stopping illegal downloading of copyrighted content, CISPA is designed to create an information exchange between the government and private industry to share cyber threat intelligence. Few would argue that monitoring and sharing information about attacks and threats of attacks on the networks that underpin our economy is not an important objective. Where CISPA raises privacy concerns is in the details of how the information is to be shared. The bill allows companies full control to determine how much information they share with the government. In the event the government has some information an individual company needs regarding a potential threat, the concern is that the government could use that leverage to require more information from the company than it otherwise would be willing to share.
Privacy advocates’ concerns over the method and breadth of the data sharing has been echoed by the White House in a threat to veto CISPA as currently drafted. As a result, CISPA likely will see some revisions in the Senate, where it will be considered along with Senator Lieberman’s Cybersecurity Act of 2012 and Senator McCain’s SECURE IT bill.