Previously, we had a guest post criticizing CISPA and calling for amendment. That amendment was not passed, and CISPA passed the House today anyway.
So let’s hear a defense of CISPA today, from Mike Rogers, Chairman of the House Permanent Select Committee on Intelligence. His words follow:
MYTH: This legislation creates a wide-ranging government surveillance program.
FACT: The bill has nothing to do with government surveillance; rather it simply provides narrow authority to share anonymous cyber threat information between the government and the private sector so they can protect their networks and their customers’ private information.
From H.R. 624, Page 11, Line 1 the government can only use cyber threat information for: “cybersecurity purposes; the investigation and prosecution of cybersecurity crimes; the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm; or for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in section 2258A(a)(2) of title 18, United States 19 Code.”
The bill does not require anyone to provide information to or receive information from the government. The entire program would be voluntary.
Page 12, Line 1: ‘‘ANTI-TASKING RESTRICTION.—Nothing in this section shall be construed to permit the Federal Government to (A) require a private-sector entity or utility to share information with the Federal Government; or (B) condition the sharing of cyber threat intelligence with a private-sector entity or utility on the provision of cyber threat information to the Federal Government.”
The bill creates no new authorities for the government to monitor private networks or communications.
Page 21, Line 9: “(4) LIMITATION ON FEDERAL GOVERNMENT USE OF CYBERSECURITY SYSTEMS.—Nothing in this section shall be construed to provide additional authority to, or modify an existing authority of, any entity to use a cybersecurity system owned or controlled by the Federal Government on a private-sector system or network to protect such private-sector system or network.”
MYTH: The definition of “cyber threat information” in the bill is too broad.
FACT: Under the bill a company may only identify and share cyber threat information for “cybersecurity purposes”; that is only when they are seeking to protect their own systems or networks.
Page 23, Line 2: ‘‘(A) IN GENERAL.—The term ‘cyber threat information’ means information directly pertaining to— ‘‘(i) a vulnerability of a system or network of a government or private entity or utility; ‘‘(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network; ‘‘(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or ‘‘(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.”
MYTH: The bill would allow the government to obtain tax, medical, library or gun records.
FACT: On Page 12 the bill states that under CISPA the government may not obtain: library circulation records, library patron lists, book sales records, book customer lists, firearms sales records, tax return records, educational records, or medical records.