NB: As previously stated, my interest in these bills has nothing to do with partisanship or traditional political ideology. My opinions do not necessarily reflect those of my employers or anyone else and may evolve as I learn more about the issues.
As I’ve continued to look into CISPA in greater detail, I’ve started to understand better the objections raised by its opponents. I should also note that alternatives exist to CISPA: other bills trying to accomplish something similar with slightly more specificity. Anyone interested in this area should almost certainly read The Who, What and Why of Information Sharing in Cybersecurity Legislation on Lawfare by Paul Rosenzweig of the Heritage Foundation. Specifically, he looks at the Lieberman-Collins bill (Cybersecurity Act of 2012) and the McCain bill (SECURE IT Act), each of which cover far more than just intelligence sharing. They also originate in the Senate, while CISPA comes from the House. I really recommend reading his entire post, but I’ll note here some of the points I found most important.
- The other two bills contain specific definitions of the sorts of intelligence that the new programs would share. Actually, both of them classify threat indicators in some detail, and the Cybersecurity Act actually specifies that the intelligence should remove PII of other individuals (collateral privacy damage). I suspect that these sorts of definitions can go a long way to ease the minds of those who have concerns about the lack of specificity in CISPA.
- The Cybersecurity Act essentially designates the DHS as the lead agency to coordinate information sharing. Actually, it allows the DHS to decide which agency will take the lead, but interdepartmental politics almost guarantee that the DHS will select itself, probably attached to US-CERT in some fashion. On the other hand, the SECURE IT Act essentially lets private organizations choose from any available federal option, including the DHS, NSA, FBI, and others. These both take different approaches from CISPA, which designates the DNI as the coordinating point but doesn’t restrict private-sector organizations from sharing intelligence with any federal agency.
- Shared intelligence under the Cybersecurity and SECURE IT Acts can only be used for certain purposes, and they each have some restrictions on what law enforcement can do with the data. CISPA allows broader usages here.
None of these bills include anything like the censorship provisions in SOPA. None of them require any group to share information with the government or anyone else, though only the Cybersecurity Act seems to include major restrictions on sharing data of individuals unrelated to the threat. No federal dollars go to any private organization to fund whatever data collection and analysis systems they use. I think that CISPA opponents have triggered on the “notwithstanding any other provision of law”, but the courts don’t interpret that phrase in the same way you and I might.
From a civil liberties perspective, the intelligence sharing provisions in the Cybersecurity Act seem less controversial than CISPA. The SECURE IT Act is somewhat more nuanced in its approach to law enforcement, but generally takes a broader approach. However, the Cybersecurity Act more or less hands the coordination directly to law enforcement, whereas CISPA hands it to the intelligence community and the SECURE IT Act treats the agencies fairly neutrally.
As previously stated, these other two bills go further than just sharing cyberintelligence, including a broader approach to security in their scope. I haven’t looked at the rest of what they cover. But I think that, if the authors of CISPA continue to focus their legislation on the DNI, they could garner a lot of support by using some of the definitions and restrictions from the other bills. And I don’t know that the SECURE IT Act will do much more for threat intelligence than continue existing confusion because it will almost certainly lead to significant duplication within the government.