The U.S. House of Representatives is scheduled to vote soon on a business-friendly bill that would give companies access to information about threats to their networks’ security.
The Cyber Intelligence Sharing and Protection Act (CISPA) would allow the government to provide classified intelligence to companies, giving them a heads-up on cyber-related issues and the chance to possibly limit or prevent damage to their corporate data. “The ability to get cyber-threats information quickly from the government could mean the difference between being able to put some safety precautions in place before the threat actually hits versus dealing with the threat when it’s actually occurring,” says Craig R. Smith, a partner at law firm Lando & Anastasi.
Of course, government in general is not known to act quickly. “The federal government has a very long way to go before it establishes a culture of robust sharing of highly sensitive information,” says Eric Friedberg, co-president of Stroz Friedberg, a digital-risk management and investigations consultancy.
The bill’s more likely outcome could be more sharing of cyber threats between companies, Friedberg suggests. Such data-sharing could help companies tackle so-called zero-day threats, new cyber risks that have not yet been incorporated into enterprise security software, he adds.
The legislation does not impose new regulations on companies nor does it create a quid pro quo. Companies will not have to return the favor of information-sharing to government officials, although the legislation says they can on a voluntary basis.
However, there is a catch. This information-sharing could stretch the boundaries of current privacy regulations, depending on how the final wording of the bill shakes out. Because of that, the bill may not survive. The Obama Administration has vowed to veto it in its current form.
Lawmakers’ recent changes to the legislation to appease the bill’s critics haven’t satisfied concerns that it will put Internet users’ private information and civil liberties at risk. The Electronic Frontier Foundation, which is a vocal critic of the bill, says CISPA “uses dangerously vague language” for the extent of information that can be shared with the government. Skeptics of the legislation are worried about personal information and e-mail communications being shared with government officials.
Over the past few days, lawmakers have gone through two rounds of significant amendments. The latest version of the legislation would let companies take out some details in the personal data they share with the government. Another recent change to the bill calls for an inspector general to evaluate the bill’s implementation.
Protests of CISPA have been quieter than those that put an end to another set of bills that dealt with online business. CISPA has been compared to the Protect IP Act (PIPA) and the Stop Online Piracy Act (SOPA), which were designed to stop pirate sites from making money off of copyrighted material. The bills would have penalized intermediaries between copyright holders and pirates, such as search engines. They seemed poised for a quick passage, but loud protests from companies like Wikipedia and Google, as well as protests by individual Internet users on social-media sites, prompted lawmakers to drop both bills earlier this year.
In contrast, CISPA has garnered much more support from business groups, including Business Roundtable, and companies, such as Facebook. Unlike the PIPA and SOPA, which created a new liability for some companies, CISPA limits the liability of both companies and executives when they share information.
That protection, however, is fueling some of the debate. The legislation does not specify how companies and the government will minimize the sharing of personal information, according to a statement by the Obama Administration yesterday. The bill also lacks accountability measures that would ensure the data is used appropriately, the statement noted, adding, “Citizens have a right to know that corporations will be held legally accountable for failing to safeguard personal information adequately.”
For now, most commentary predicts the legislation, which has upward of 100 co-sponsors, will pass the House by the end of the week. If the bill does pass, companies will likely revisit their privacy policies to address any user or consumer concerns about companies sharing new data with the government, Smith says.