CISPA Not the Right Way to Achieve Cybersecurity
CISPA presents a false choice between network security and Internet users' rights
April 18, 2012
There is a need for cybersecurity legislation, but CISPA—an overly broad bill that lacks restrictions on government abuse—is not the right way to achieve it.
CISPA allows companies to voluntarily share information pertaining to suspected attacks on their networks with other companies and the government. Operators of networks have said they need clearer legal authority to share this information. However, there are three major problems with how CISPA would allow Internet users' information to be shared and used.
- CISPA has an almost unlimited definition of what user information can be shared with the government. This definition should be narrowed to apply only to actual cyberattacks or threats.
- CISPA would allow companies to share Internet users' information directly with the National Security Agency. The National Security Agency is a super-secret agency with the dual roles of intelligence collection and protecting U.S. government networks. Entrusting the agency with private online communications also means trusting it not to use this information for intelligence purposes unrelated to cybersecurity. Once our information goes to the NSA, there will be little meaningful oversight of what the agency does with it. Information should instead go to the Department of Homeland Security, a civilian agency that will provide more accountability to the public for failure or abuse.
- CISPA would allow information shared with the government to be used for purposes unrelated to cybersecurity, including law enforcement purposes—this has the potential to turn cybersecurity into a new surveillance program.
On top of this, CISPA supersedes all other privacy laws. If privacy protections for Internet users aren't built into the bill, they simply don't exist.
Legislation that secures networks can be achieved without posing these threats—an important first step is to narrow the language.
The authors of CISPA have made some positive changes recently. Unfortunately, none of the changes gets to the heart of the privacy concerns that Internet users and advocacy groups have expressed. The Center for Democracy & Technology is still hopeful that major problems with the bill can be addressed before it goes to a vote next week—if they aren't, Congress should reject CISPA.