, Representatives Mike Rogers and Dutch Ruppersberger have reintroduced CISPA
, exactly as it was when it passed the House last year. Incredibly, we've been hearing that they've brushed off the massive privacy concerns by claiming that those were all "fixed" in the final version of the bill that got approved. This is highly disingenuous. While it is true that they made some modifications to the bill at the very end before it got approved, most privacy watchers were (and are) still very concerned. They did convince one organization to flip-flop, and they seem to think that's all they need.
But, here's the thing that no one has done yet: explain why this bill is needed. With President Obama's executive order
in place, the government can more easily share threat info with companies, so really the only thing that CISPA piles on is more incentives for companies to cough up private information to the government with little in the way of oversight or restrictions on how that information can be used. And given how frequently the government likes to cry "cyberattack" when it's simply not true, it's only a matter of time before they start using claims of "cyberthreat!" to troll through private information.
And they still refuse to explain why this is needed. We hear lots of scare stories, but no explanation for how this bill helps
. For example, Ruppersberger has written up an oped for the Baltimore Sun in which he lays out the reasons we need CISPA
, but it's all scare stories, without a single explanation for how CISPA would help. And that's because it wouldn't.
March: Hackers allegedly steal the credit card numbers from 1.5 million Visa and MasterCard customers by breaking into the computer systems of the company's payment processor in New York. The thieves stockpiled the stolen credit card numbers for months before beginning to use them.
Payment processors already have some of the best security people in the world and have a large and widespread community of folks who do nothing but think about security issues
for this industry. At what point would that lead the payment processor or Visa or Mastercard to need to hand information over to the government?
August: Cyber attackers disrupt production from Saudi Aramco, the world's largest exporter of crude oil, taking out 30,000 computers in the process, according to press reports.
Saudi Aramco is a Saudi Arabian company. Not sure why they would be sharing info with the US government or how CISPA would relate to them at all.
January: PNC Bank announces to its 5 million customers that its website is getting hit with high traffic consistent of a cyber attack meant to delay business with its online banking customers.
Again, why would PNC need to give information to the government? And, if they could alert their customers to the threat, they can also alert the government. None of that requires the ability to share customer info.
These are just three reported examples of cyber attacks in the past 12 months. Each could have had a devastating impact on the U.S. and global economies. That's more than a bad dream — that's a full-blown nightmare.
These are just three scare stories of cyber attacks in the past 12 months, none of which would have been impacted by CISPA. So why do we need it again?
Highly trained Chinese, Russian and Iranian hackers are probing, pilfering and plotting every second of every day. They're often after personal data: In November, reports suggested a hacker was able to access nearly 4 million tax returns in South Carolina with a single malicious email. And they're often after the trade secrets of our companies: The media has reported that Coca-Cola may have fallen victim to hackers from a Chinese beverage company.
Again, what does any of that have to do with CISPA?
Many believe that what is happening to American business may be the largest transfer of wealth in the history of the world. It's costing our companies billions of dollars, and it's costing our country thousands of jobs.
Many believe that's pure hogwash. It's not the largest transfer of wealth in the history of the world. It's not costing companies billions of dollars and it's certainly not costing our country thousands of jobs.
Preventing the U.S. government from sharing information about malicious computer code it detects is akin to preventing forecasters from warning citizens about a hurricane.
Except the government already
could share a lot of information, and with the executive order can now share more. So why do we need CISPA?
Our legislation doesn't just protect companies. It will also protect every American citizen who, for example, uses electricity or banks online, or whose doctor compiles medical records electronically.
How? It's a serious question. You can talk about all of these hacks, and you can say "yay, cybersecurity bill!" but if you don't explain specifically how that bill does anything to actually stop those attacks or to protect Americans, you're full of it.
It's important to note that under my legislation, your private information will also be kept private from the government. Information-sharing between companies and the government will be entirely voluntary. Businesses do not have to share information with the government in order to receive information from the government. The bill does not authorize the government to monitor your computer or read your email, Tweets or Facebook posts. Nor does it authorize the government to shut down websites or require companies to turn over personal information.
The first sentence is simply not true. Your private information can
be shared with the government, so to say that it absolutely will be kept private is simply wrong. The second and third sentences are misleading. Yes, the information sharing is "voluntary" but since there are broad immunity exemptions, if the government is coming to most companies and saying "share this info for cybersecurity reasons, and you can't get sued for doing so," how many companies are going to stand up to the government and say no? There may be a very small number, but for the most part, companies will hand over the info. The fourth and fifth sentences are simply meaningless, because they are unrelated to the legitimate privacy concerns raised.
Once again, we're left in the same boat as before. Lots of scare stories but no explanation
of why CISPA is needed or how it actually helps. The whole thing is just way too broad, with vague justifications that simply don't make much sense when you look at the actual threats compared to what the bill would allow.