« BACK  |  PRINT

RS

FRONT PAGE CONTRIBUTOR

Myth v. Fact: H.R. 624, The Cyber Intelligence Sharing and Protection Act (CISPA)

Previously, we had a guest post criticizing CISPA and calling for amendment. That amendment was not passed, and CISPA passed the House today anyway.

So let’s hear a defense of CISPA today, from Mike Rogers, Chairman of the House Permanent Select Committee on Intelligence. His words follow:


MYTH: This legislation creates a wide-ranging government surveillance program.

FACT: The bill has nothing to do with government surveillance; rather it simply provides narrow authority to share anonymous cyber threat information between the government and the private sector so they can protect their networks and their customers’ private information.

From H.R. 624, Page 11, Line 1 the government can only use cyber threat information for: “cybersecurity purposes; the investigation and prosecution of cybersecurity crimes; the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm; or for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in section 2258A(a)(2) of title 18, United States 19 Code.”

The bill does not require anyone to provide information to or receive information from the government. The entire program would be voluntary.

Page 12, Line 1: ‘‘ANTI-TASKING RESTRICTION.—Nothing in this section shall be construed to permit the Federal Government to (A) require a private-sector entity or utility to share information with the Federal Government; or (B) condition the sharing of cyber threat intelligence with a private-sector entity or utility on the provision of cyber threat information to the Federal Government.”

The bill creates no new authorities for the government to monitor private networks or communications.

Page 21, Line 9: “(4) LIMITATION ON FEDERAL GOVERNMENT USE OF CYBERSECURITY SYSTEMS.—Nothing in this section shall be construed to provide additional authority to, or modify an existing authority of, any entity to use a cybersecurity system owned or controlled by the Federal Government on a private-sector system or network to protect such private-sector system or network.”

MYTH: The definition of “cyber threat information” in the bill is too broad.

FACT: Under the bill a company may only identify and share cyber threat information for “cybersecurity purposes”; that is only when they are seeking to protect their own systems or networks.

Page 23, Line 2: ‘‘(A) IN GENERAL.—The term ‘cyber threat information’ means information directly pertaining to— ‘‘(i) a vulnerability of a system or network of a government or private entity or utility; ‘‘(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network; ‘‘(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or ‘‘(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.”

MYTH: The bill would allow the government to obtain tax, medical, library or gun records.

FACT: On Page 12 the bill states that under CISPA the government may not obtain: library circulation records, library patron lists, book sales records, book customer lists, firearms sales records, tax return records, educational records, or medical records.

MYTH: The bill will allow the federal government unfettered access to read private emails or read Internet history without a warrant.

FACT: The highly rapid and automated nature of cyber threat information sharing already lessens the concern that an individual’s private information is being read or mined by someone. Private sector companies protect their networks by scanning their traffic with high-speed automated systems operating at network speed—largely without any human involvement—looking for specific digital patterns of malware and vulnerabilities. The overwhelming majority of traffic is ignored by these systems, which only alert on problems or abnormalities.

The government can only use and retain cyber threat information, not private email or Internet histories, for four purposes: (1) cybersecurity; (2) investigation and prosecution of cybersecurity crimes; (3) protection of individuals from the danger of death or physical injury; (4) protection of minors from physical or psychological harm.

The bill requires the government to establish minimization procedures to limit the receipt, retention and use of personally identifiable information not necessary to protect systems or networks.

MYTH: There is no oversight of or accountability for this new program.

FACT: The bill requires the Intelligence Community’s Inspector General to annually review and report on the government’s handling and use of information that has been shared by the private sector under this bill to prevent and remedy any instances of abuse.

The bill creates a role for the Privacy and Civil Liberties Board (PCLOB) and the individual agency privacy officers to provide additional oversight of the government’s use of information received from the private sector under this bill.

The bill provides clear authority to the Federal Government to undertake reasonable efforts to limit the impact on privacy and civil liberties in the act of sharing the cyber threat information.

MYTH: The government will amass countless amounts of data on U.S. citizens which will sit on government computer servers.

FACT: The bill prohibits the Federal Government from retaining or using information other than for purposes specified in the legislation.

The bill requires the government to establish minimization procedures to limit the receipt, retention and use of personally identifiable information not necessary to protect systems or networks.

MYTH: There is no redress against the government if the government mishandles an individual’s private information.

FACT: The bill establishes liability if the government violates restrictions on use, disclosure or retention of information.

Page 16, Line 1: ‘‘(d) FEDERAL GOVERNMENT LIABILITY FOR VIOLATIONS OF RESTRICTIONS ON THE DISCLOSURE, USE, AND PROTECTION OF VOLUNTARILY SHARED INFORMATION.—‘‘(1) IN GENERAL.—If a department or agency of the Federal Government intentionally or willfully violates subsection (b)(3)(D) or subsection (c) with respect to the disclosure, use, or protection of voluntarily shared cyber threat information shared under this section, the United States shall be liable to a person adversely affected by such violation in an amount equal to the sum of—(A) the actual damages sustained by the person as a result of the violation or $1,000, whichever is greater; and (B) the costs of the action together with reasonable attorney fees as determined by the court. (2) VENUE.—An action to enforce liability created under this subsection may be brought in the district court of the United States in—(A) the district in which the complainant resides; (B) the district in which the principal place of business of the complainant is located; (C) the district in which the department or agency of the Federal Government that disclosed the information is located; or (D) the District of Columbia. (3) STATUTE OF LIMITATIONS.—No action shall lie under this subsection unless such action is commenced not later than two years after the date of the violation of subsection (b)(3)(D) or subsection (c) that is the basis for the action.(4) EXCLUSIVE CAUSE OF ACTION.—A cause of action under this subsection shall be the exclusive means available to a complainant seeking a remedy for a violation of subsection (b)(3)(D) or subsection (c).”

MYTH: The private sector will be able to share individuals’ private information under this bill or can use it for marketing purposes.

FACT: The bill only allows the private sector to share information that relates directly to a cyber security purpose and they can only share cyber threat information.

Cyber threat information is specifically defined in the bill starting on Page 23, Line 2 (listed above).

Chairman Rogers is Chairman of the House Intelligence Committee and is a national leader on national security policy. He served as an FBI special agent before being elected to the Michigan Senate in 1995. He has served Michigan’s Eighth Congressional District in Congress since 2001.

Get Alerts