CISPA passes in U.S. House, what’s next?

Despite veto threats from the White House, the U.S. House of Representatives passed the controversial CISPA cybersecurity bill on Thursday. But how important is this bill and how might it affect Americans’ privacy?

What is CISPA?

The Cyber Intelligence Sharing and Protection Act (HR 3523) was authored in an attempt to enhance the ability of U.S. based companies that own a large part of the nation's infrastructure with the Federal government in matters of digital security and potential attacks. Advocates of the bill point to countries like Russia and China who regularly use hacking methods to extract information from corporate and U.S. government servers.

The bill amends the National Security Act of 1947 (which, obviously, doesn’t mention cybersecurity), giving private companies the ability to willingly share your digital information with the government.

What to the proponents say?

Proponents argue that as espionage moves to the web, the United States must have a digital communications infrastructure in place that will allow businesses and government bodies to effectively and efficiently combat a hostile digital presence. Being able to share vital user information about potential or ongoing attacks could be vital in such a circumstance.

Congressman Mike Rogers (D-MI), who authored the bill, released a press release on Thursday.

By permitting the private sector to expand its own cyber defense efforts and to use classified information to protect its systems and networks, this bill will help create a more robust cybersecurity marketplace with expanded service offerings and jobs. More importantly, this bill does not contain any new federal spending or impose additional federal regulation or unfunded mandates on the private sector. [Congressman Mike Rogers]

What do opponents say?

Opponents say the bill is too vague, ripe for abuse, and tramples on existing privacy laws. Particular attention has been given to a clause that states "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government.” By using the word “notwithstanding”, CISPA can trump any local, state, or federal law that would otherwise stand in the way of information sharing – including laws that prohibit warrantless surveillance.

Furthermore, the Electronic Frontier Foundation has put particular criticism on what they describe as vague definitions and say that despite amendments, CISPA leaves the government and companies with too much leeway.

Even after amendments, “Cybersecurity system" defines the system that “cybersecurity providers” or self-protected entities use to monitor and defend against cyber threats. This is a “system” intended to safeguard “a system or network.” The definition could mean anything—a Local Area Network, a Wide Area Network, a microchip, a website, online service, or a DVD. It might easily be stretched to be a catch-all term with no meaning. For example, it is unclear whether DRM on a DVD constitutes a “cybersecurity system.” And such a “cybersecurity system” is defined to protect a system or network from “efforts to degrade, disrupt or destroy”—language that is similarly too broad. Degrading a network could be construed to mean using a privacy-enhancing technology like Tor, or a p2p protocol, or simply downloading too many files. [EFF]

What will happen next?

Next, the bill will go to the Senate where it is expected to come up for a vote in May. Should it pass, it will then move to the President’s desk. Although President Obama has already threatened a veto, several amendments have been made since the threat was issued and some question whether they might change the President’s decision down the road.

Why is all this important?

Whether or not CISPA passes is largely irrelevant, the fact is, we live in a changing world. As our bank accounts and personal profiles expand their online presence, governments and companies – and even cybercriminals – are going to have open access to your information.

When all is said and done, what you do online is NOT private information. But, if you take the proper precautions, it can be. Using common sense, virus protection and SumRando, you can keep your information safe.