The rapid approval of new cybersecurity legislation in the U.S. House of Representatives on Thursday has caught opponents off guard. The controversial Cyber Intelligence Sharing and Protection Act of 2011 (CISPA) would grant law enforcement and national-security agencies broad powers to monitor private electronic communications. The 248 to 168 margin was especially galling to critics who had harshly denounced the bill as even more expansive than either the Stop Online Piracy Act or the PROTECT IP Act, both of which died after a massive Internet campaign squelched support for them in the House and the Senate. The House-passed CISPA allows extensive sharing of information between government agencies and industry groups but does not define cybersecurity standards. The Obama administration opposes CISPA, and the president has threatened to veto it; for those who oppose the bill, only time will tell if that threat holds water.
Rep. Jared Polis, a Colorado Democrat and former Web businessman, charged during floor debates that CISPA would “waive every single privacy law ever enacted in the name of cybersecurity.” However, supporters claimed that the legislation was needed to allow Homeland Security and the National Security Agency (NSA) to efficiently share critical security information with authorized parties.
Technology companies have been divided over the bill. Microsoft, which originally supported CISPA when it was introduced in November 2011, now favors the Cybersecurity Act of 2012, a bill that has languished in the U.S. Senate since its introduction in February. During Senate hearings, Microsoft spokesperson Scott Charney had described the alternative proposal as flexible and appropriate to the security needs of government and industry. The Electronic Frontier Foundation (EFF), a civil liberties group, applauded the shift by Microsoft. EFF spokesperson Dan Auerbach said, “We’re excited to hear that Microsoft has acknowledged the serious privacy faults in CISPA.”
The administration-backed Cybersecurity Act, which has been shepherded by Sen. Joseph Lieberman, an independent, and Sen. Susan Collins, a Republican, would require electric utilities, telecommunications companies and companies in several other industries to meet cybersecurity standards written by federal agencies. Lieberman warned in February hearings that addressing security concerns had become urgent after three years of wrangling over details. Citing continuing attacks by foreign hackers and other shadowy figures, Sen. Lieberman said cybersecurity threats posed “a real and present danger to this country.” He added, “We simply cannot allow this moment to slip away from us.”
A competing approach from Sen. John McCain, who unsuccessfully sought the presidency against Barack Obama, has been pushed by seven other Republican senators and a number of business lobbying groups. The alternative proposal would set voluntary industry standards for cybersecurity.
While divisions remain deep, a significant number of security experts have expressed lukewarm support for the Lieberman-Collins bill. Reservations swirl around provisions that some experts say will give Internet service providers and information-technology companies too much latitude to ignore cybersecurity standards, which would apply only to companies potentially affected by disruptions that would cause “major damage to the economy, national security, or daily life” or lead to mass death. James Lewis, who directs the technology program at the Center for Strategic and International Studies, suggests that many vital computer networks would be left unprotected, inviting attacks by criminal hackers, overseas espionage agencies and terrorists.
Privacy advocates say that while the Lieberman-Collins bill no longer includes a “kill switch” provision and is better overall than CISPA, it still needs to be pruned of sweeping provisions that would give federal agencies too much power to pry into private communications. McCain’s bill has also attracted disapproval from civil liberties activists who say the bill contains similar encroachments upon privacy.
Stewart Baker, formerly a senior official at the secretive NSA, perceives a growing lack of willingness by Congress to pass even a weak cybersecurity bill. Baker says that senators have come under heavy pressure from businesses to not impose additional regulatory burdens in a weak economy. It appears likely that with McCain’s bill losing support and with lawmakers showing little enthusiasm for embroiling themselves in controversy in a tight election year, backers will struggle to move even a diluted version of the Lieberman-Collins bill to the Senate floor for a vote in May.