CISPA Sponsor Warns Bill Is Needed Because China's Chinese Hackers From China Are Stealing All-American Secrets (China!)

from the give-them-to-us-instead dept

While the focus on the cybersecurity debate shifts to the Senate, the supporters of CISPA are still loudly trumpeting that bill's supposed merits. Though the final legislation that will go before the President is undecided, and may not even be based on CISPA in the end, the details of the bill are still very important, as they contribute to the overall shape of the discussion about cybersecurity. As part of the ongoing media campaign, CISPA author Mike Rogers took to the pages of The Detroit News last week to drum up support with a screed that reeks of nationalist fearmongering and utterly misrepresents the scope and purpose of the language in the bill.

The United States, over time, became a global superpower with its hard work and know-how leading to innovations in new manufacturing, health care and information technologies. Now China is trying to use cyber espionage and theft to take a short cut to achieving superpower status.

It began with China stealing hard-copy business plans and sensitive research-and-development information from U.S. and other Western companies when their executives traveled to China. U.S. companies soon began noticing a surge in counterfeit products as their innovations were being stolen, re-engineered, and sold by Chinese companies on global markets.

With the Internet boom, China turned its focus to cyber espionage and began stealing the hard work and innovations of U.S. companies on a far larger scale.

Rogers should be careful—if he says 'China' any more times, Fu Manchu might appear in the mirror and drain his 401(k). Once he's got the reader good and scared of the Yellow Menace (having thrown in a few emotional appeals to hardworking Michigan autoworkers for good measure), he explains how CISPA is needed to take care of all those annoying regulations that limit government power and protect people's privacy:

Unfortunately, American companies are not getting the best protection available.Today, the U.S. government has intelligence information about the threat posed by nation-state actors that could help the American private sector better protect itself. However, we don't currently have a mechanism for allowing the government to share intelligence about cyber threats with the private sector, nor do we have the ability for private sector companies to share information with others in the private sector, and with the government on a voluntary basis, so that the private sector can better protect itself.

And you know what? That's fine. Even though there is a lot of debate about the true scope of foreign cyber threats, if there is a way for the government and the private sector to share anonymous network analysis data in order to improve technological defenses against hacking and malware attacks, it makes sense to legislate a mechanism for them to do so. Unfortunately, CISPA goes way beyond that—now explicitly so.

This goes back to my opinion when CISPA was amended and passed in the House: my initial reaction that it had gotten much worse was partially incorrect, but even though the amendments did technically limit the government's power under the bill, I still had (and have) a problem with the way they expanded the stated intent and purpose. From the very start, CISPA supporters have insisted (as Rogers does in this column) that it's basically all about technical considerations in fighting off foreign cyber attacks. Initially, privacy and civil liberties groups objected that it would allow the government to do much more, including accessing the private data of American citizens without a warrant—and the response was basically "no, no, it has nothing to do with that".

Right up to the last minute of debate before the House vote, CISPA's backers held to the talking points and expounded on the threat from China and the need to share technical network data. But, to appease privacy groups, they supported an amendment to limit the ways the government could use shared data under the bill to a set of explicit purposes. And what were those purposes? Far from just foreign threats, they include investigating domestic cybercrime, investigating domestic violent crime, protecting children from exploitation, and of course the catch-all "national security" that was already in the language.

It feels trite to add the obligatory preventing violence and protecting children is a good thing here, because d'uh, but when exactly did CISPA become a bill about these things? If the government wants new exceptions to privacy laws for the purposes of fighting crime, that's a major discussion with obvious constitutional implications—a discussion that privacy groups have been trying to start all along, but have been brushed off with claims that CISPA is just about rebuffing those devious foreigners. Now CISPA explicitly includes provisions for collecting evidence on domestic crime, but Rogers is still writing editorials like this one that don't mention anything to do with child exploitation, violent crime, or anything else that doesn't have the word China attached to it.

Rogers finishes the piece with a rather astonishing little rallying call:

It took Michigan's auto industry decades to achieve its prominence and the United States centuries to become a global superpower. We cannot let China steal it all away in a few short years.

I'm not sure how long it's been since Rogers visited Flint, but I think it's changed a little since he was last there. Nonetheless, the point is clear: if the government can't snoop your data for child porn and affiliations with Anonymous, the Chinese are going to start manufacturing American cars and destroy the Michigan auto industry, in turn toppling the U.S. as an economic superpower. Wait, did I say "clear"?


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Josh in CharlotteNC (profile), 7 May 2012 @ 2:37pm

    Mechanisms

    Something I've never quite got is this talking point:

    However, we don't currently have a mechanism for allowing the government to share intelligence about cyber threats with the private sector, nor do we have the ability for private sector companies to share information with others in the private sector, and with the government on a voluntary basis, so that the private sector can better protect itself.

    Don't have a mechanism to share data? Seriously?

    How about the Internet? How about email?

    I am personally a member of certain mailing lists and listservs that do exactly what is being asked for. All the ones I'm a part of are public, but there are private/invite-only ones, too, if the data being shared is of more sensitive matters. Maybe the lobbyists are just feeling left out of the cool kids (professional security experts) groups?

    I regularly read certain websites that do exactly what is asked for. Some are non-profits, some are run by companies, and there are ones run by the government.

    Wait, the government, you say? Yeahsureyoubetcha! Take a look over at http://nvd.nist.gov/ - it is governmenmt run, on a .gov domain, site about software vulnerabilities. Let me quote... "comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources" ... my, doesn't that sound familiar?

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.