I mentioned earlier that the White House weighed in on CISPA, the cybersecurity bill working its way through Congress. Previously they had been generally supportive of it, at least from the words of counter-terrorism czar John Brennan. But now, a spokeswoman for the National Security Council has criticized the bill.
CISPA would encourage companies to share information about cyber threats, but the bill lacks any regulations for critical infrastructure companies and has drawn fire from privacy advocates.
“The nation’s critical infrastructure cyber vulnerabilities will not be addressed by information sharing alone,” (NSC spokeswoman Caitlin) Hayden said.
“Also, while information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens. Legislation without new authorities to address our nation’s critical infrastructure vulnerabilities, or legislation that would sacrifice the privacy of our citizens in the name of security, will not meet our nation’s urgent needs,” she said, without explicitly mentioning CISPA.
This follows the pattern of the SOPA/PIPA debate. Everyone supported it until Internet freedom activists raised awareness. Then the White House drew some lines in the sand against it. And eventually, the bills died. The civil liberties and privacy coalition emerging against CISPA may need some additional players from the tech community to really put a nail in this thing, but the progress so far is encouraging.
However, I should note that there are some key differences. First of all, the White House considers cybersecurity to be a pressing problem. A House briefing yesterday with DHS Secretary Janet Napolitano, FBI Director Robert Mueller and NSA Director Keith Alexander, among others, highlighted a “threat to the nation” from cyber attacks. Why critical infrastructure like water and energy systems suddenly are vulnerable to cyber attacks by virtue of being controlled in this fashion and without a manual backup is a good question to ask here, but the point is that the Administration thinks there’s a problem, which they phrase as a “threat” in order to get Congress moving.
Second, the White House has already endorsed the Senate version of a cybersecurity bill from Joe Lieberman and Susan Collins. This adds some more regulatory capability to the Homeland Security Department, as well as additional privacy protections. Under Lieberman-Collins, all personally identifiable information would get stripped out from any data turned over to the government.
So instead of SOPA and PIPA, here the White House is basically choosing sides between a Senate and House bill. The main detractors of the Lieberman-Collins bill when it was introduced were business groups seeking to avoid regulation on critical infrastructure. But civil liberties groups, who previously called this the “Internet kill switch” bill because it would allow government to shut down portions of the Internet (that provision has since been removed), still have problems with it.
A provision governing disclosure of information to law enforcement says a “cybersecurity exchange that is a Federal entity may disclose cybersecurity threat indicators” if “the information appears to relate to a crime which has been, is being, or is about to be committed.”
But there is no definition of “crime.”
“We do have some serious concerns about this language,” said Amie Stepanovich, counsel for the Electronic Privacy Information Center (EPIC). “The bill would, essentially, allow the government to flag any activity which may indicate a potential crime. The bill does not specify any type of crime, or even if it has to be a felony or a misdemeanor.”
Lee Tien, senior staff attorney at the Electronic Frontier Foundation, said he was worried that the statute did not make clear exactly who could monitor systems and what “countermeasures” would be permitted to stop a cybersecurity incident–that the bill could turn into a new version of “warrantless wiretapping.”
Those groups have mostly focused on CISPA, but if we get to an endgame where Lieberman-Collins gets substituted in, we’ll have to see what is objectionable in there.