The Verdict on Cyber Information Sharing
The Congress of the United States is showing again why it remains schizophrenic in its appraisal of rights and obligations – encouraging of various whistleblower protections on the one hand while suggesting at points why they should be prosecuted, and extolling the virtues of an open, free internet while trying to clip the wings of those who use it. On the one hand, hactivists are to be admired; on the other, they are the bane of a modern political condition, invisible warriors that wreak havoc on computer systems. The concern, as ever, is what cyber warfare can do to company receipts.
The next battlefront seems to forming around the Cyber Intelligence Sharing and Protection Act (CISPA), which effectively permits the voluntary sharing between private entities and the government in the event of a cyber assault. The CISPA fan members have been chanting that such measures are necessary given the threats posed by the upstart incursions of China and Iran. These are dangerous times (aren’t they always?), and privacy should be abridged where necessary, at least if it means a heavier pocket.
CISPA had been moving inexorably through the political process, having been approved in the House and awaiting the eyes of Senators. Attempts have been made by such hactivist outfits as Anonymous to “go dark” as a protest measure against the bill, something that was done with some success against the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA). As always, such benign acronyms are the stuff of seemingly innocuous fluff, concealing the more potent implications of the changes.
They need not have worried too much. For one thing, the sponsors of the bill – Reps. Mike Rogers (R-MI) and Dutch Ruppersberger (D-MD) – were already sensing trouble. For that reason, the congressmen introduced an amendment requiring the government to remove identifying features of any data turned over to a company. The same, however, cannot be said for private companies when they submit data to the government. With such incongruous burdens, companies may well be reluctant to participate.
Then came that uncomfortable blurring, at least for privacy advocates, between civilian and military roles, unsurprising perhaps given the vast and rapid privatisation of American security.
The statement on April 16 from the White House – that President Obama would veto CISPA in its current form – put another obstacle before supporters of the bill. Not that the President should be taken as being an opponent of privacy abridgments – where he deems it necessary, a bit of surrendering might be in order. He would just prefer it if bipartisan support for such a measure could be obtained.
The ever suspicious Electronic Frontier Foundation has suggested that the bill was drafted in an expansive way, “to permit your communications service providers to share your emails and text messages with your government, or your cloud storage company could share your stored files.” It would also provide immunity from suit for companies all too willing to pass on information. Those countering this argument feel that it is precisely a bill such as CISPA that will keep such information safe from the marauding hackers of ill-intent.
The companies that have been keen to back CISPA have been pouring money into the campaign with the enthusiasm, even desperation, of a drunken sailor. The Sunlight Foundation noted that pro-CISAP businesses forked out amounts 140 times that of anti-CISPA interests. Maplight (Apr 4), in examining tech companies keen to defeat the bill, found that a mere $17,000 was forthcoming, mostly from employees of such companies as Craigslist. For activism director of the EFF Rainey Reitman, the attraction for CISPA for companies lies in the liability protections.
Senator Jay Rockefeller (D-WV), chairman of the U.S. Senate Committee on Commerce, Science and Transportation, made it clear that the bill would be unlikely to pass in its current form given protections for privacy that were “insufficient”. Another representative of the Senate, as reported in the U.S. News of the World (Apr 25) claimed that something of a scrap was on, with senators “divvying up the issues and the key provisions everyone agrees would need to be handled if we’re going to strengthen cybersecurity. The result will be separate bills from separate pens.
Some kind of armour may well be needed, but the line between defensive armour and offensive weaponry is something that legislators have not always heeded. The Press Secretary for Senate Intelligence Committee Chairman Senator Dianne Feinstein (D-Calif.) told Mashable (Apr 25) that the senator and her colleagues were “currently drafting a bipartisan information sharing bill and will proceed as soon as we come to an agreement.”
Michelle Richardson of the American Civil Liberties Union is, for the time being, jubilant. “I think [the bill] is dead for now.” Not merely was it controversial, it would have been too expensive. But that is hardly any reason to suppose that drafters are going to be idle their efforts to add more fat to the hulk that is the American security state. American companies are, it is felt, fighting a war against virtual warriors of the net. And since any U.S. Congress tends to be the parliament of business, a bill favouring their stance is not out of the question.
Binoy Kampmark was a Commonwealth Scholar at Selwyn College, Cambridge. He lectures at RMIT University, Melbourne. Email: email@example.com