April 24, 2012 | Issue Brief on Homeland Security
Recognizing that the U.S. faces serious cybersecurity threats, Congress has wisely decided to take action in this important arena, and the House of Representatives will vote on multiple cybersecurity bills this week. It is just as important, however, that Congress take proper and helpful action.
House Permanent Select Committee on Intelligence chairman Mike Rogers (R–MI) and ranking member Dutch Ruppersberger (D–MD) have produced the Cyber Intelligence Sharing and Protection Act (CISPA). This bill is a smart, bipartisan product that makes it easier for the government and the private sector to share cyberthreat and vulnerability information. A number of outside groups have raised concerns about the bill, and the sponsors have made some changes that warrant analysis of CISPA to see how well it addresses those concerns while still enhancing America’s cybersecurity efforts.
The Benefits of Sharing Cyberthreat Information
CISPA removes the barriers between private-sector actors and other entities in government or the private sector. Currently, both the private sector and the government analyze threats and adjust their cyberdefenses to the threats and vulnerabilities they see. Ambiguities in liability and privacy laws prevent these actors from sharing this information with each other.
CISPA removes these ambiguities and would allow the government to share information with certified private-sector actors and private-sector actors to share cybersecurity threat information with other certified private actors and the federal government. Nothing in the bill is a mandate. Any information shared with the federal government would be exempt from Freedom of Information Act requests and treated as proprietary information.
Additionally, CISPA protects private-sector actors from any liability resulting from sharing information. Without such a provision, a private actor would fear that sharing threat information could result in adverse consequences. For example, company A sees something dangerous and in good faith passes that information along to company B. Company B takes some action as a result of that information. As sometimes happens with intelligence sharing, the information might be wrong or incomplete, and company B might get hurt by the actions it took. Without liability protection, company B could potentially sue company A for damages.
As a whole, the authors of CISPA took a restrained, cooperative approach. Instead of mandating a certain answer to the nation’s cybersecurity problems, CISPA recognizes that the private sector is already actively engaged in enhancing cybersecurity and could do more if it is given more information. The authors of CISPA should be congratulated for rejecting the view that congressional experts can come up with the “right” answer to America’s cybersecurity woes but instead chose to tap the power and ingenuity of the American private sector.
Concerns and Changes
Though the first version of CISPA was a good effort, a number of privacy advocates and organizations raised some concerns about the bill. In response to these concerns, CISPA was modified in several key ways over the past several months:
CISPA is a sensible and bipartisan bill designed to enhance U.S. cybersecurity efforts by providing private- and public-sector actors with threat information that can help them thwart incoming cyber-attacks. Through various amendments and changes, CISPA has addressed most, if not all, of the privacy concerns leveled against it. Importantly, these changes do not weaken the cybersecurity enhancements that the bill provides. CISPA avoids potentially harmful regulations and uses the innovation and resourcefulness of the private sector to make the nation more secure.
Paul Rosenzweig is a Visiting Fellow in the Center for Legal and Judicial Studies and the Douglas and Sarah Allison Center for Foreign Policy Studies, a division of the Kathryn and Shelby Cullom Davis Institute for International Studies, at The Heritage Foundation.
See Paul Rosenzweig, “Congressional Cyber Initiative Shows Promise,” Heritage Foundation Web Memo No. 3478, January 31, 2012, http://www.heritage.org/research/reports/2012/01/rogers-ruppersberger-bill-a-solid-cybersecurity-approach.
“Certified actors or entities” are those organizations or individuals who are able to possess a security clearance in order to safeguard the threat information they receive. If entities were not required to be certified, then shared threat information would be easily obtainable by hackers and malicious actors, who would then adjust their attacks, rendering the shared information less valuable.
Indeed, Chairman Rogers has pointed out that this anti-tasking provision is actually stronger than legislative language proposed by some of the privacy advocates.