The Cyber Intelligence Security Protection Act was reintroduced to the House on Wednesday. Here’s a basic rundown of what CISPA does, and why you should care.
On Wednesday, the highly controversial Cyber Intelligence Security Protection Act (CISPA) was reintroduced to the House of Representatives. You’ve most likely been seeing plenty of headlines about it, and there’s a decent chance that you realize that it’s kind of a big deal, but you’re not clear on why it’s so contentious or how it could actually affect you.
We’ve addressed some of the biggest questions about the bill—everything from its privacy implications to its chances of passing— in theDaily Dot’s CISPA primer.
So, what is CISPA?
In its most basic terms, it’s a cybersecurity bill. It’s the federal government saying “American computer systems are being attacked every day, often by Chinese hackers, and we’re relatively helpless to stop it. We need stronger defenses.”
How does it work?
CISPA is based on the idea of “information-sharing.” You can trace that term back to 9/11, when analysis of the event found that government agencies like the CIA and FBI didn’t share their intelligence with each other. The Patriot Act, passed in 2001, stressed better communication between federal law enforcement agencies.
In the case of a cyber attack, CISPA would allow, say, the administrator of a network that’s responsible for a city’s power grid to let the the NSA take a peek to try and determine who the attacker is and what they’re doing.
That doesn’t sound so bad…
Except that means that any personal information you have on that network is now in the NSA’s hands. And there’s concern over just how easily a government agency can cry “cyberattack!” to justify accessing any private information it wants, without going through the usual process of getting a search warrant.
How serious are these cyber attacks, really?
That’s a major point of debate. Those in Washington who push for stronger cybersecurity tend to refer to an imminent “Digital Pearl Harbor” or “Cyber 9/11,” where attackers will derail our critical infrastructure (think power plants, or air traffic controls) without stronger laws. And, to be fair, the U.S. itself appears to have already carried out such an attack when it released the Stuxnet virus on Iran, seriously hampering that country’s nuclear research program.
On the other hand, some researchers have found that statistics on the frequency of cyber attacks against the U.S. tend to be misrepresented by the government and are vastly overblown.
Is CISPA the next SOPA?
In the general sense—that it could give the government new power over the Internet and that activists are extremely riled up about it—yes. In basically any other sense, no, not at all.
SOPA (the Stop Online Piracy Act) was about protecting media companies’ copyrights, and would have made it easy for the government to shut down websites where even a commenter linked to pirated material. CISPA wouldn’t censor anything, but it would give the government much easier access to otherwise private information stored online.
So under CISPA, the government could claim there was a cybersecurity breach and spy on any website it wants?
It’s not that easy. As CISPA’s supporters repeatedly stress, it’s voluntary. Any network would need to give permission for a federal agent to have access. Note, though, that means the network’s permission. Not yours.
Why would a network want to volunteer?
Pretty simple: It means the government helps out with its cybersecurity efforts, which can be a real burden. Facebook, for example, infamously initially supported CISPA.
If I admitted in an email that I stole a candy bar, and the Department of Justice sees it, am I going to jail?
No, it has to be big. There are a few extremely specific criteria that have to be met for the government to actually prosecute civilians based on information acquired through CISPA—stuff like child porn or intent to commit terrorism.
If I’m not a terrorist pedophile, do I have anything to hide?
Plenty argue that CISPA directly violates any modern interpretation of the Fourth Amendment, which prevents “unreasonable searches and seizures” without a warrant. And to put it mildly, privacy advocates heavily contest the “what if I have nothing to hide?” argument.
Didn’t CISPA already pass the House?
Yes. In April 2012. But White House advisors vowed to veto it if it passed the Senate, citing essentially the same privacy concerns activists do, and it never even went to a Senate vote anyway. This new CISPA is the exact same bill, introduced a second time; its sponsors hope it’ll have more momentum and a better chance to pass this go-round.
Will Obama still veto it?
We can’t say that for sure. The advisors who promised the veto weren’t named, but it was likely at least influenced by cybersecurity coordinator and known CISPA-hater Howard Schmidt, who has since resigned. Obama hasn’t reaffirmed any desire to veto, though, and one of CISPA’s sponsors, though perhaps blustering, thinks the Presisdent will renege on his promise.
Wait, wasn’t CISPA defeated in the Senate last year?
Nope! That was a different cybersecurity bill, one generally more favored by Democrats. Called the Cybersecurity Act of 2012, it was brought for a Senate vote twice, and was shot down both times, even though Democrats have a majority in the Senate.
Will CISPA become law after all?
There’s a good chance it’ll pass the House again. CISPA curries a lot of favor with Republicans, and they control the House. Democrats view it far less favorably, though, and they control the Senate.
Is there a difference between CISPA and Obama’s executive order?
Oh yes. They’re not the same, though the order does have some of CISPA’s information-sharing provisions. For one thing, Obama doesn’t need congressional approval; the order was on the books as soon as he signed it. For another, Obama has followed the insistence of senator Ron Wyden (D-Oreg.), who has likely the best voting record in Congress when it comes to Internet freedom. The order, unlike CISPA, makes a clear distinction between “critical infrastructure,” (i.e. power grids), that will have to share information, and private, social networks like Facebook.
Illustration by Jason Reed