Could new “Cybersecurity laws” being debated in Congress give the U.S. government and private companies unbridled power to block any website they choose?

That’s one fear with House Bill 3523, also known as the Cyber Intelligence Sharing and Protection Act (CISPA) of 2011. While the bill is not yet up for a vote, it is gaining support in Congress and with major Internet Service Providers (ISPs).

Actually an amendment to the National Security Act of 1947, CISPA is intended to allow the government to effectively pursue cyber threats. However, as is often the case with controversial Internet legislation, CISPA is being criticized as being written so broadly, it might grant the enormous power to both the government and to private companies willing to seize it—all they’d have to do it claim they’re motivated by “cybersecurity purposes.”

Proponents of the bill argue that both public and private information systems are highly vulnerable to attack. Lockheed Martin, a major defense contractor, has written the following in support of the legislation:

...Connectivity and our dependence on it has made us vulnerable to a host of actors intent on doing us harm…. We must defend our networks from attacks across the spectrum—the common hackers with malicious intent, the cyber thieves seeking our intellectual property, and the nation state actors attempting to undermine U.S. national security.

CISPA is similarly supported by some of the country’s largest ISPs.

AT&T called it “an important and positive step in strengthening cybersecurity collaboration.” Verizon “applauds [CISPA’s] sponsors for taking a focused approach to enhancing our national cybersecurity-defense capabilities.”

However, Internet rights organizations are concerned that the powers contemplated by CISPA are far too broad. For instance, under CISPA, any company in the private sector could “use cybersecurity systems to identify and obtain cyber threat information to protect [that company’s] rights and property.”

That’s problematic, according to the Electronic Frontier Foundation (EFF), since “because ‘us[ing] cybersecurity systems’ is incredibly vague, it could be interpreted to mean monitoring email, filtering content, or even blocking access to sites.”

Further, the bill declares that “theft or misappropriation of [...] intellectual property” constitutes “cyber threat” intelligence. The EFF warns that under this provision, an ISP could “monitor communications of subscribers [including text messages and emails] for potential infringement of intellectual property,” blocking its customers’ Internet access, or certain websites, without fear of repercussion.

Similarly, the Center for Democracy and Technology (CDT) is concerned about language in CISPA that indicates the government and Internet companies can ignore privacy laws anytime—again—“cybersecurity” is at risk.

“The structure and incentives in the CISPA bill raise a very real possibility that the NSA or DOD’s [Department of Defense’s] Cybercommand would become the primary recipient of communications information shared by ISPs,” the CDT warns.

This would permit a radical change in national cybersecurity policy from civilian control to the military.

— CDT

CISPA is one of four cybersecurity bills currently before the legislature and is the item of greatest concern to organizations such as the EFF. March 29, the bill broke 100 supporters in Congress. It currently stands before the House of Representatives.

Photo by Rashan J