Backed by the momentum created by the signing of President Obama’s Executive Order earlier this year regarding the U.S. national cyber security policies, the Cyber Information Sharing and Protection Act (CISPA) was reintroduced to the House by its authors Reps. Mike Rogers and Dutch Ruppersberger, heads of the House Intelligence Committee. CISPA focuses on improving real time information sharing between the federal government and private sector in order to combat cyber attacks. It originally passed in the House during the spring of 2012 despite strong opposition from civil liberties groups and heavy criticism from the White House regarding the bill’s lack of privacy protections. However, the bill never made it past the Senate which was working on creating its own cyber security legislation.
The reintroduced bill recently passed the House again but without any key fixes to the core issues about privacy plus the lack of civil liberties protection, the bill experienced the same fate it did last year in the Senate, failing to even come to the floor for a vote. In addition, President Obama voiced his refusal to sign CISPA in its current form which ultimately sealed the death of the bill. Currently, staff and senators on The U.S. Senate Committee on Commerce, Science and Transportation are reported to be dividing the key concerns regarding cybersecurity policies and drafting separate bills to address the issues.
For any cybersecurity bill to succeed, the concern about the lack of privacy and possible infringement on civil liberties must be resolved. The intent of the original CISPA was to facilitate information sharing between private businesses and intelligence agencies. It legally protected businesses that shared information with agencies about its employees and customers, including email and social media activity. Under the mandate of “protecting the national security of the United States,” intelligence agencies were also allowed to collect personnel information from businesses as needed. Vague language and fear of unaccountable surveillance spurred opposition from civil liberties groups who felt CISPA was more “surveillance legislation” than data protection and security legislation and gave too wide a berth to information gathering under the guise of national security.
On the other hand, Obama’s Executive Order (EO) allows government data to be shared with private companies but does not include legal immunity for private sector companies that share people’s personal information with government agencies. Instead, it mandates that government agencies monitor the civil liberty impact of their cyber security programs and report on its effect on personal privacy. Another key issue is the redundancy of the information sharing provisions in CISPA are already covered in the EO which outlines procedures for national cyber security, information sharing and related privacy requirements. The EO already allows the Department of Homeland to share information on data breaches and cyber threats with private sector companies who work on the nation’s critical infrastructure and state and local governments.
As the debate over which piece of legislation ultimately becomes our nation’s cyber security standard, what’s clear is that there is a fine line between gathering data security information in the name of national security and privacy protection. Ultimately, the legislation that wins will be the one that recognizes the importance of both data security and personal privacy and provides defined boundaries for both.