What is CISPA?

Stack of Laptops

Photo via heipei/Flickr (CC BY SA 2.0)

The Cyber Intelligence Sharing and Protection Act, explained.

On Monday, congressman Dutch Ruppersberger (D-Md.) introduced the controversial cybersecurity bill known as CISPA to the House for the third straight year.

Ruppersberger’s office shared a copy of the text with the Daily Dot. As it happens, this version of CISPA—an acronym for the Cyber Intelligence Sharing and Protection Act—is word-for-word the exact same one that passed the House in April 2013.

At the time, the Daily Dot published an explainer about what’s in the bill, why, and why anybody supports or hates it. Since the bill’s wording is identical, we’ve republished the majority of it below, tweaked to better reflect what the bill means in 2014, in the wake of the Sony hack and President Obama’s new cybersecurity proposal.

CISPA was officially reintroduced to the House of Representatives on Wednesday. You’ve most likely been seeing plenty of headlines about it, and there’s a decent chance that you realize that it’s kind of a big deal, but you’re not clear on why it’s so contentious or how it could actually affect you.

So, what is CISPA?

In its most basic terms, it’s a cybersecurity bill. It’s the federal government saying “American computer systems are being attacked every day, often by Chinese hackers, and we’re relatively helpless to stop it. We need stronger defenses.”

How does it work?

CISPA is based on the idea of “information-sharing.” You can trace that term back to 9/11, when analysis of the event found that government agencies like the CIA and FBI didn’t share their intelligence with each other. The Patriot Act, first passed in 2001, stressed better communication between federal law enforcement agencies.

In the case of a cyberattack, or offensive hack, CISPA would allow, say, the administrator of a network that’s responsible for a city’s power grid to let the the FBI take a peek to try and determine who the attacker is and what they’re doing.

That doesn’t sound so bad…

Except that means that any personal information you have on that network is now in the FBI’s hands. And there’s concern over just how easily a government agency can cry “cyberattack!” to justify accessing any private information it wants, without going through the usual process of getting a search warrant.

Recall, for instance, that the NSA’s tremendous online spy powers are supposed to be focused on spying on foreign terrorists, but that’s not always how it plays out. In 2013, Reuters uncovered that the National Security Agency will sometimes share evidence of severe crimes with the Drug Enforcement Agency. Since such evidence wouldn’t be admissible in court, the DEA then engages in what’s called “parallel construction” to make its own trail of evidence, since they already know what their suspect’s up to.

How serious are these cyberattacks, really?

That’s a major point of debate. Those in Washington who push for stronger cybersecurity have for years referred to an imminent “Digital Pearl Harbor” or “Cyber 9/11,” where attackers will derail our critical infrastructure (think power plants, or air traffic controls) without stronger laws. And, to be fair, the U.S. itself appears to have already carried out such an attack when it released the Stuxnet virus on Iran, seriously hampering that country’s nuclear research program.

On the other hand, some researchers have found that statistics on the frequency of cyberattacks against the U.S. tend to be misrepresented by the government and are vastly overblown.

Both Obama and Ruppersberger have invoked recent high-profile attacks, like the one on Sony Pictures Entertainment, as evidence that we need information-sharing legislation. But experts say that’s nonsense, and wouldn’t have helped Sony in the slightest.

So under CISPA, the government could claim there was a cybersecurity breach and spy on any website it wants?

It’s not that easy. As CISPA’s supporters repeatedly stress, information-sharing is voluntary. Any network would need to give permission for a federal agent to have access. Note, though, that means the network’s permission. Not yours.

Why would a network want to volunteer?

Pretty simple: It means the government helps out with its cybersecurity efforts, which can be a real burden. Facebook, for example, infamously initially supported CISPA.

If I admitted in an email that I stole a candy bar, and the Department of Justice sees it, am I going to jail?

No, it has to be big. There are a few extremely specific criteria that have to be met for the government to actually prosecute civilians based on information acquired through CISPA—stuff like child porn or intent to commit terrorism.

If I’m not a terrorist pedophile, do I have anything to hide?

Plenty argue that CISPA directly violates any modern interpretation of the Fourth Amendment, which prevents “unreasonable searches and seizures” without a warrant. And to put it mildly, privacy advocates heavily contest the “what if I have nothing to hide?” argument. In short,  you probably do have something to hide even if don’t realize it.

How is CISPA different from Obama’s proposal?

Obama’s proposal has several tenants, but both it and CISPA really stress information sharing. On one hand, privacy groups generally regard Obama’s version as similar, but with somewhat better user-privacy protections built in.

On the other hand, some groups, like the Electronic Frontier Foundation, question why we’d need an information-sharing law at all. There are already little-used government information-sharing programs in place, and a large number of high-profile hacks would be prevented if the victim used just basic security measures.

Will CISPA pass the House?

It’s still early. CISPA passed the House in both 2012 and 2013, but was led by the one-two punch of the two ranking members of the House Intelligence Committee, Ruppersberger and former Michigan Republican Mike Rogers, who has since retired.

Ruppersberger’s office has so far declined to share if they’re getting enough promises to give the bill a chance. And It’s hard to imagine Obama signing a bill in 2015 that he openly disparaged and repeatedly promised to veto.

However, given his own proposal’s insistence on information-sharing, it’s definitely possible Obama would agree to a compromise. In previous years, he’d hoped that the Democrat-held Senate could find a cybersecurity bill more to his liking, but they couldn’t ever get anything to pass, much less something that the Republican House would. Now that Republicans control the Senate, too, Obama’s hands are more tied.

Photo via heipei/Flickr (CC BY SA 2.0)

Kevin Collier

Kevin Collier

A former senior politics reporter for the Daily Dot, Kevin Collier focuses on privacy, cybersecurity, and issues of importance to the open internet. Since leaving the Daily Dot in March 2016, he has served as a reporter for Vocativ and a cybersecurity correspondent for BuzzFeed.