“I believe that it is very possible,” former Defense Secretary Leon Panetta told a rapt audience at Georgetown University earlier this month, “the next Pearl Harbor could be a cyber attack that would have one hell of an impact on the United States of America.” That’s a belief Homeland Security Secretary Janet Napolitano shares—in January, she urged Congress not to “wait until there is a 9/11 in the cyber world” to act on cyber-security legislation. Subtle warnings, these are not.
Over the past 12 months, hackers have broken into the networks of major news organizations, including The New York Times, The Washington Post, and The Wall Street Journal in a string of audacious security breaches. The U.S. Government Accountability Office found that cyber-security incidents reported by federal agencies have risen 800 percent since 2006. Chinese hackers infiltrated the networks of nearly 800 U.S. companies and research institutions between 2000 and 2010, siphoning trillions of dollars in trade secrets and industrial IP. “They are stealing everything that isn’t bolted down,” warned House Intelligence Committee chair Mike Rogers, the lead sponsor of CISPA—the bill designed to counter these cyber threats. “And it’s getting exponentially worse.”
However, Congress’ response to the danger of war on a virtual front is exactly the wrong solution to a complicated and growing problem that defies easy answers.
CISPA is a flawed bill that looks to address the thorny issue of cyber security by using the Patriot Act as its spirit guide. The bill passed the House last April, only to die in the Senate after supporters couldn’t muster the votes for cloture. Despite that bullet to the head, the bill that Ron Paul called “Big Brother writ large” is back from the dead, thanks to Rogers and a Congress increasingly tuned in to America’s cyber insecurities. Rogers, it should be noted, is a man with his own murky conception of cyber-law: When the soldier Bradley Manning was accused of sharing classified material with WikiLeaks in 2010, it was Rogers who publicly called for his execution.
Much of last year’s controversy centered on CISPA’s unnecessarily broad language and how it related to online copyright protection. CISPA and the Stop Online Piracy Act (SOPA) were often conflated by the media, and Internet freedom activists railed against restrictions both bills could impose on online content sharing. CISPA was a bad bill—one that Aaron Swartz sagely called “worse than SOPA”—but hardly for the reasons the media and activists attacked it for.
Instead of smart legislation that soberly accounts for national security vulnerabilities, CISPA is a cyber dragnet. It treats misdemeanors the same as it does corporate espionage and acts of war. It consigns “reasonable expectation of privacy,” to the history books. And it feeds the personal information of the citizens it’s entrusted to protect into the hungry maw of a national security apparatus that should, frankly, have better things to do.
At its heart, the bill is a warrantless wiretap of your entire digital existence. CISPA would grant Google and Facebook carte blanche to turn over personally identifiable information they deem relevant to the national cyber-security effort directly to federal agencies. Say your computer becomes infected with spyware that you don’t even realize is there—a likely scenario given the Electronic Frontier Foundation estimates that 40-90 percent of all computers have been infected at one time or another. This fact alone would authorize Comcast or Verizon or whoever you pay for the privilege of delivering Internet to log your every online movement, and share that data with the government or other private companies. Once the government’s got hold of it, however, the bill further allows the sharing of that data between federal agencies and the military, a precedent-setting departure from current privacy law with the potential to create vast databases filled with the personal information of millions of American citizens. “Once that private information is in the hands of the military,” Leslie Harris, president of the Center for Democracy and Technology says, “it can be used for purposes completely unrelated to cyber security.” If this sounds like the top-secret phone logging that the NSA has been carrying out with the help of major telecoms for nearly a decade, that’s the point. CISPA would simply enshrine perpetual real-time spying on American citizens in law.
As Richard Forno, director of the University of Maryland Baltimore County’s Graduate Cybersecurity Program explains, “even other laws that allow a company to maintain privacy, if it can be tied to cyber security under CISPA, that can be shared,” Meaning CISPA would trump any state or federal privacy protections already in place. Or, as Colorado representative Jared Polis bluntly put it during the floor debate, “waive every single privacy law ever enacted in the name of cyber security.”
CISPA’s definition of a cyber threat is chillingly vague. The language describes any “efforts to degrade, disrupt, or destroy,” or to “gain unauthorized access,” to a computer system or network. That means virtually everything—from guessing your office’s WiFi password to cracking Lockheed’s top-secret network and stealing drone schematics—would fall under CISPA’s jurisdiction, and would therefore be ripe for warrantless surveillance.
Rogers justifies the broad liberties his bill takes with your personal information by obfuscating his true aims. “We're talking about exchanging packets of information, zeroes and ones, if you will,” he says. “So some notion that this is a horrible invasion of content reading is wrong. It is not even close to that.” The trick, of course, is that the entire Internet is built on zeroes and ones. Those zeroes and ones, when strung together, tend to form patterns, sentences, pictures, mosaics of our entire digital lives. Calling that a privacy protection is like saying words are only made up of letters. Don’t worry, that private email the NSA just vacuumed up? It’s mostly R’s and T’s.
SOPA’s defeat last year was made possible by a vanguard of enlightened Internet companies—Google, Facebook, Yahoo!, and dozens more—publicly protesting the bill. Their lobbying dollars and technical credibility convinced Congress to back down. CISPA, however, is another story—one where the industry has played a curiously supportive role. Giants like Intel and IBM, and telecoms from AT&T to Verizon all back it. Microsoft is onboard. Even Facebook has openly endorsed the bill. The reason? SOPA was a costly proposition for most companies—it would have required them to constantly patrol their own networks for copyright infringements, and penalties for non-compliance could lead to millions of dollars wasted in potential lawsuits and federal fines. CISPA was designed from the start to be a corporation’s best friend.
The bill achieves this by absolving private companies from any liability resulting from the sharing of personal information, whether that sharing was warranted or not. “It’s a free-for-all for them,” Michelle Richardson, legislative counsel with the ACLU, told me. “They get all of the benefits and there are no downsides. They are released from following the privacy laws, they are given liability protection for sharing the content of their customer’s communications and their Internet records—no one will ever be able to hold them liable. And at the end of the day, they can choose to go to places like the NSA to share the information, which means it’s in a black box and won’t necessarily ever become public. It’s the best of all worlds.” In other words, even if Google makes a mistake in turning over your search history to the military, you have no legal recourse. You may never even know.
Indemnifying private corporations for their part in government surveillance will probably serve to make the web even less safe. Companies will be under no obligation to fix the security holes they discover in their systems, and the risk of costly litigation that has been an effective motivation to address such issues in the past will be lifted.
This Machiavellian turn all but guarantees the sharing of more information with the government, not less, purely in the interest of self-preservation. The more a company shares, the more it's protected. Mark Zuckerberg would be an idiot not to sign up.
While corporations would make out like gangbusters if the bill passes in Congress, the public will end up screwed—and not just out of its privacy. The municipal power grids and water treatment plants that make up our aging national infrastructure hardly get a mention, even though they are by far the weakest link in the cyber-security chain, having evolved in a patchwork over decades when hackers were less threatening than migrating salmon. And whereas President Obama’s recent executive order on cyber security authorizes federal agencies to share critical information with industries that the government deems vital to public safety (and not the other way around), CISPA treats these entities the same as it does Tumblr. To fix the system, “it’s going cost a lot of money and it’s going to be very inconvenient,” says Richard Forno “For the past 20 years we’ve essentially moved at the speed of the Internet, kept deploying more and more stuff and become more and more dependent on that stuff that’s built on a flawed foundation.” Rethinking the way we use the Internet would be a good place to start, quarantining vital infrastructure on its own private networks, separate from the public Internet and less vulnerable to intrusion. The Federal Reserve does this for its interbank money transfers—perhaps our most critical non-economic resources should too.
CISPA is tentatively scheduled for a house vote this month, and if history is any guide, there’s reason for concern. After threatening a veto last year, the White House has been conspicuously quiet this time around; Obama’s cyber chief Michael Daniel recently called cyber security and privacy “two sides of the same coin”—an ominous or encouraging remark depending on how you interpret it. The Senate has its own bill in committee, one that takes a “more measured approach” to the issue, according to Michelle Richardson at the ACLU. That bill at least requires companies to make “reasonable efforts” to remove personal data from the information they share with the government—a promise that rings a bit hollow when one realizes it’s exactly that personal information the government is likely to be the most interested in getting its hands on. But more than a decade after the passage of the Patriot Act, Congress is still missing the point—transfixed by the siren song of universal intelligence at the expense of all else, not the least common sense. That our power substations and aqueducts and water treatment plants reside on the same global communication network as Russian botnets and Chinese cyber spies is an issue that has no bearing on civil liberties, and one that might actually make a difference to national security. That—not CISPA—would be a good place for Congress to start.