The Cyber Intelligence Sharing and Protection Act (CISPA) passed the House last Thursday on a 288-127 vote. The bill now heads to the Senate, where it is expected to face stiff resistance. President Obama is on record as opposing CISPA, threatening to veto the bill if it doesn't address civil liberties concerns.
So, that's certainly something worth cheering about. On the tech side of things, Reddit co-founder Alexis Ohanian continues his campaign to kill CISPA. The masses, meanwhile, are too transfixed by the Boston Marathon spectacle to care much about internet privacy. Not to devalue that horrible tragedy, but Americans might also want to watch their government's debate on a bill that will have vast repercussions far into the future.
Under CISPA, corporations would be allowed to aggressively combat loosely-defined “cybersecurity threats.” Rep. Jim Langevin wisely attached an anti-hack-back amendment to CISPA limiting corporations to cybersecurity measures only on their own networks. Language found in the exemptions section, however, effectively nullifies this amendment. Companies would be able to act with immunity outside their networks. Translation: it's illegal to hack as an act of civil disobedience (see: Anonymous), but perfectly legal if you are a corporation.
Another implication is that neither companies nor the government will have to prove beyond a reasonable doubt who committed the cyber-crime. Immunity could potentially lead to the internet's very own version of an endlessly escalating Lincoln Country War.
A perceived threat could be anything—whatever act a business finds threatening.
I put the question to Electronic Frontier Foundation's Mark Jaycox on whether or not CISPA could create a type of legalized, extra-judicial vigilantism.
“'Vigilantism' is a pretty specific term,” said Jaycox. “The amendment passed limits companies from acting beyond their own computer networks to gather threat information; however, it ignores another section of the bill that allows wide ranging acts in response to the perceived threat.”
Therein lies the rub. A perceived threat could be anything—whatever act a business finds threatening.
As Jaycox notes, CISPA's immunity section covers any "decision made" based on information a company learns as long as the business acts in “good faith.” Rather innocuous language, to be sure, but troubling given the nebulous legal definition of good faith. Jaycox says the immunity and good faith language creates a significant loophole.
“A company could still use aggressive countermeasures outside of its own network as long as it believed the countermeasures were necessary for protection,” Jaycox told me. “This section could have been fixed by limiting the broad legal immunity given to companies. But, it wasn't. So the amendment still leaves the door open to abuse. A user's only recourse is to prove a company didn't act in 'good faith,' which is notoriously hard.”
The immunity and “good faith” language appears in Sec. 3 Cyber Threat Intelligence and Information Sharing, under Exemption From Liability (read the full bill here):
(A) EXEMPTION- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith--
(i) for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or
(ii) for decisions made for cybersecurity purposes and based on cyber threat information identified, obtained, or shared under this section.
(B) LACK OF GOOD FAITH- For purposes of the exemption from liability under subparagraph (A), a lack of good faith includes any act or omission taken with intent to injure, defraud, or otherwise endanger any individual, government entity, private entity, or utility.
An amendment should have neutered this broad immunity language. Even if the Senate decides not to take up CISPA (as it did in 2012), this provision's very existence needs to be addressed loudly and aggressively in public. It is not much ado about nothing from a “bunch of 14-year-olds tweeting from their basement,” as the bill's sponsor Rep. Mike Rogers describes the opposition. CISPA grants a legal power that corporations should not have.
As Greg Nojeim, Director of CDT's Project on Freedom, Security & Technology, said in a statement yesterday, the immunity provision “threatens privacy and is unnecessary for cybersecurity. The bill also invites companies to engage in reckless and negligent cybersecurity conduct that could injure others, and insulates that conduct against criminal and civil liability." In other words, if an internet user is attacked by a company during “cybersecurity conduct,” they would have no legal recourse to pursue damages. Go fuck yourself seems to be the operating principle here.
But in a country where corporations have been elevated to the legal status of human beings, is anyone really surprised that this loophole was left wide open? Don't think for a minute that CISPA's architects were alone in thinking, “Wouldn't it be a great idea to include an immunity provision?” Corporations likely lobbied hard for this exemption.
In fact, Rep. Rogers' wife, Kristi Clemens Rogers, only recently left her post as CEO and president of Aegis LLC, a company that stands to benefit from CISPA's passage. Aegis LLC is a security defense contractor that “provides government and corporate clients with a full spectrum of intelligence-led, culturally-sensitive security solutions to operational and development challenges around the world.” Well, like the characters in Netflix' House of Cards, lobbying is probably made easier when one is married to the architect of a controversial bill.
Even Rep. Rogers has his reservations about private sector offensive measures, though.
"I will guarantee you there will be lots of mistakes made," said Rogers at at a recent cybersecurity conference at George Washington University. "I worry about the private sector engaging in offensive [activities] ... because a lot of things are going to go wrong." Thanks, Mike!