CISPA fight far from over. Don't fall asleep

Whenever one branch of Congress passes something, ill-informed citizens assume it's a done deal and go back to their caves. This is my plea to not let it happen in the case of the Cyber Intelligence Sharing and Protection Act (CISPA).

The House voted to push the bill forward on a 248 to 168 vote last week. In my opinion, they rushed it through despite serious privacy threats. I seriously doubt all 248 read all the fine print before pulling the trigger. They were likely more interested in who among their campaign donors were in favor of it. It's a classic case of elected officials following the money instead of the truth.

Supporters include COMPTEL, Verizon, Tech America, USTelecom, CTIA – The Wireless Association, Sprint Nextel Corporation and 29 more, according to Opponents include The Constitution Project, Fight for the Future, Free Press, Reporters Without Borders, Techdirt, TechFreedom and 19 more.

Now the legislation has to make it through the Senate. If it does, President Obama will have to decide whether to sign or veto it. There will be plenty of amendment and deal making along the way, which means there's a chance to preserve the good parts of this bill while chucking the provisions that would allow the government to over-reach.

My concerns are the same as what I mapped out in a post last week called "Need proof that CISPA stinks? Open your history books."

According to the full summary of  H.R.3523:

--Cyber Intelligence Sharing and Protection Act - Amends the National Security Act of 1947 to add provisions concerning cyber threat intelligence and information sharing.

--Defines "cyber threat intelligence" as information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from: (1) efforts to degrade, disrupt, or destroy such system or network; or (2) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

--Requires the Director of National Intelligence to: (1) establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities, and (2) encourage the sharing of such intelligence.

--Requires the procedures established to ensure that such intelligence is only: (1) shared with certified entities or a person with an appropriate security clearance, (2) shared consistent with the need to protect U.S. national security, and (3) used in a manner that protects such intelligence from unauthorized disclosure. Provides for guidelines for the granting of security clearance approvals to certified entities or officers or employees of such entities.

--Authorizes a cybersecurity provider (a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes), with the express consent of a protected entity (an entity that contracts with a cybersecurity provider) to: (1) use cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity; and (2) share cyber threat information with any other entity designated by the protected entity, including the federal government. Regulates the use and protection of shared information, including prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, exempts such information from public disclosure. Prohibits a civil or criminal cause of action against a protected entity, a self-protected entity (an entity that provides goods or services for cybersecurity purposes to itself), or a cybersecurity provider acting in good faith under the above circumstances.

--Allows the federal government to use shared cyber threat information only if: (1) the use is not for a regulatory purpose, and (2) at least one significant use purpose is either for cybersecurity or the protection of U.S. national security. Prohibits the federal government from affirmatively searching such information for any other purpose.

--Directs the Inspector General of the Intelligence Community to submit annually to the congressional intelligence committees a review of the use of such information shared with the federal government, as well as recommendations for improvements and modifications to address privacy and civil liberties concerns.

--Preempts any state statute that restricts or otherwise regulates an activity authorized by the Act.

Several privacy rights groups -- including the Electronic Frontier Foundation (EFF), the Center for Democracy and Technology (CDT), the American Civil Liberties Union (ACLU), and Fight for the Future -- say the bill "would allow Internet companies and the government to collect virtually any private online user content under the pretext of cybersecurity." Lawmakers have offered changes  to help prevent the government and businesses from running wild in its pursuit of personal data, but critics are not satisfied.

Are critics over-inflating the potential evil in this bill? Perhaps. Hyperbole has been bouncing around the halls of Congress since the beginning of the republic, and it usually comes from those fighting for AND against a particular piece of legislation. But my gut tells me there has to be a better way to improve cybersecurity than CISPA in its current form.

This is the time to write, phone, email and tweet your elected representatives, just like we did during the SOPA-PIPA fight in January. Let's make sure there's very specific language in this bill regarding the data government and private entities can and cannot collect.

Government is like a giant, spoiled child. We have to give it some discipline and outline some crystal-clear boundaries.

Copyright © 2012 IDG Communications, Inc.

The 10 most powerful cybersecurity companies