CISPA: Just say no to the Cyber Intelligence Sharing and Protection Act

Sponsoring the Cyber Intelligence Sharing and Protection Act of 2011 (CISPA) Congressman Mike Rogers (R-Michigan) is competing to see if he is more evil than SOPA sponsor Lamar Smith (R – Texas).

The bill’s stated purpose is…

[t]oprovide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes.

The official summary of the bill by the Congressional Research Service states that CISPA…

[a]mends the National Security Act of 1947 to add provisions concerning cyber threat intelligence and information sharing. Defines “cyber threat intelligence” as information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from: (1) efforts to degrade, disrupt, or destroy such system or network; or (2) theft or misappropriation of private or government information, intellectual property, or personally identifiable information. Requires the Director of National Intelligence to: (1) establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities, and (2) encourage the sharing of such intelligence. Requires the procedures established to ensure that such intelligence is only: (1) shared with certified entities or a person with an appropriate security clearance, (2) shared consistent with the need to protect U.S. national security, and (3) used in a manner that protects such intelligence from unauthorized disclosure. Provides for guidelines for the granting of security clearance approvals to certified entities or officers or employees of such entities. Authorizes a cybersecurity provider (a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes), with the express consent of a protected entity (an entity that contracts with a cybersecurity provider) to: (1) use cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity; and (2) share cyber threat information with any other entity designated by the protected entity, including the federal government. Regulates the use and protection of shared information, including prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, exempts such information from public disclosure. Prohibits a civil or criminal cause of action against a protected entity, a self-protected entity (an entity that provides goods or services for cybersecurity purposes to itself), or a cybersecurity provider acting in good faith under the above circumstances. Directs the Privacy and Civil Liberties Oversight Board to submit annually to Congress a review of the sharing and use of such information by the federal government, as well as recommendations for improvements and modifications to address privacy and civil liberties concerns. Preempts any state statute that restricts or otherwise regulates an activity authorized by the Act.

Under the guise of protecting cyber and national security, the bill would allow the government and private companies — like your Internet Service Provider (ISP) or Facebook — to share information with each other about “threats.” Those threats are not clearly defined and there’s no requirement that any information shared be stripped of personally identifiable information either. At a minimum, this bill encourages companies to become spies for the government.

Like the SOPA debacle, the Electronic Frontier Foundation is fighting against CISPA. Join the fight against this attempt to destroy your online privacy.