April 27, 2012

Stopping Congress' Cybersecurity CISPA Nightmare

In the wake of the 9/11 tragedies, the U.S. Congress rushed to quickly pass the ostensibly anti-terrorism PATRIOT Act. While we can reasonably view their motives as mostly virtuous at the time, over the years many observers have come to view PATRIOT as a classic example of bad, knee-jerk legislation, that had far more of an impact in terms of damaging the civil liberties of honest citizens than it did genuinely fighting true terrorism.

In their scramble yesterday to pass CISPA -- H.R. 3523: The Cyber Intelligence Sharing and Protection Act of 2011 -- Congress' House of Representatives has created a framework for attacks on civil rights and privacy that not only far exceed the abusive potential of the much despised (and currently sidelined) SOPA and PIPA legislation, but also that of PATRIOT itself.

It didn't have to be this way. We can all acknowledge that cybersecurity is a serious issue, and that real cybersecurity threats do exist.

But as I've noted in CISPA, Cybersecurity, and the Devil in the Dark and elsewhere, cybersecurity has become a new target for exploitation by intelligence agencies and commercial profiteers alike, and CISPA legislation in particular has seemed increasingly problematic from the word go.

The rumor was that various amendments would be added to CISPA before yesterday's House vote, to correct some of the more egregious privacy problems contained in the main legislation.

Instead, in an absolutely stunning display of disrespect for legitimate privacy concerns and other civil rights, the House not only failed to make the legislation better before passing it by a 248 to 168 margin, but by voice vote they actually made it incredibly more dangerous and outrageous.

The result is one of the most toxic witch's brews against civil rights and privacy as can be imagined.

Overriding decades of privacy protections in current law, CISPA would now permit firms and other organizations to hand over to authorities vast quantities of your personal Internet communications -- essentially any and all of it -- whenever it is felt that essentially undefined "cybersecurity" events are at hand. No judges, no warrants, no probable cause required.

High school student trying to crack a system to download a game for free? Cyberattack declared!

Misconfigured hardware or software causing a denial of service problem? Cyberattack declared!

Anything that seems at all out of the ordinary and you want to pass the buck as quickly as possible? Cyberattack declared!

It's obvious that with only a modicum of imagination it will be trivial to declare a cyberattack or other "cybersecurity event" to trigger CISPA virtually on demand.

But wait, it gets better (as Darth Vader might say). All of this personal Internet data turned over to the government isn't restricted to fighting cybersecurity attacks per se.

Not only can it be shared with intelligence agencies, where it will tickle and enhance vast databases the names of which we couldn't even imagine without an SCIF clearance, but this data could also now be used for a vast range of other purposes, even including (somehow you knew Congress was going to work this in there somehow) fighting child porn.

And any entities sharing your private data with the government under CISPA are covered by broad liability immunities in the legislation, that will encourage them to divulge private data first and ask questions ... maybe never.

We all want to protect against real cyberattacks, child porn, and terrorism.

But CISPA has evolved -- especially after the House's actions yesterday before passage -- into one of the most potent spying and civil liberties adverse pieces of legislation ever proposed, much less passed by a branch of Congress.

In light of this, firms who expressed support for CISPA in the past would be wise to reevaluate their positions, and those who have taken a neutral stance might now wish to at least consider a formal statement against the legislation in the form passed by the House.

The U.S. Senate has yet to take action on CISPA, and President Obama was threatening to possibly veto it even before the House's travesties of yesterday.

But if you objected to SOPA and PIPA, if you care about the privacy of your Internet communications, this is no time to be on the sidelines.

Tell your Senators and the President in no uncertain terms that you want appropriate cybersecurity legislation, but that you are unwilling to flush your civil rights down the toilet in the process. And do keep in mind who voted for CISPA in the House. You may want to express your displeasure to them as well.

CISPA has become a dramatic demonstration of good intentions on the part of some being warped by the bad and greedy intentions of others, and of Congress -- at least the House of Representatives -- seeming to show a disdain of liberty that is awesome in its recklessness.

Like I said, it didn't have to be this way. We do definitely need responsible legislation dealing with serious cybersecurity issues -- no doubt about it.

Yet without major changes to protect our rights, CISPA is a trap, a pit in the darkness, a nightmare in waiting for us all.

CISPA and its kin must be definitively, absolutely, and unambiguously stopped in their tracks.


Posted by Lauren at April 27, 2012 01:02 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein