Over the past few years, governments throughout the developed world have proposed legislation to combat threats to cybersecurity. While protecting cybersecurity is certainly a worthy goal, the majority of the legislation brought forth also threatens to invade the privacy of internet users.
Two such bills, the Cyber Intelligence and Sharing Protection Act (CISPA) and the Cybersecurity Act of 2012, have been steadily making their way through the United States’ Congress. CISPA was overwhelmingly passed in the House of Representatives in late April and is likely to be voted upon in the Senate in early June. President Obama has stated his intent to veto CISPA if it reaches his desk in its current form. The White House was unavailable for comment on this issue at this time. The Cybersecurity Act of 2012 (introduced by Senators Joseph Lieberman (I-CT) and Susan Collins (R-ME)) has been having a more difficult time in the Senate, but has the seal of approval from the White House.
Among privacy advocates’ chief concerns is exactly what defines a “cybersecurity threat” in these bills. CISPA defines cyber threat information as:
“that which can be shared notwithstanding any law (see Secs. 1104(b) and 9d) as information directly pertaining to a vulnerability of, or threat to a system or network of a government or private entity, including information pertaining to the protection of a system or network from– (A) efforts to degrade, disrupt or destroy such system or network; or (B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information (Sec. 1104(b)(f)(6))”.
The vague nature of this language creates a wide loophole within existing privacy laws so that even ordinary activities such as e-mail encryption could be deemed threatening and incite surveillance. Furthermore, there is little protection of personal information once an apparent cyber-threat is detected, meaning an ISP (Internet Service Provider) can share any information regarding their customers’ identities and internet activities with the government and other ISPs if they believe “in good faith” that person may be connected to a threat.
While the Cybersecurity Act of 2012 is slightly more specific in its definition of a cybersecurity threat, it raises another set of concerns that its implementation could directly violate net neutrality by giving companies the ability to divert traffic against any possible threat or action which may compromise an information system. It also mandates that individual companies ensure, at their own cost, that they meet the cybersecurity standards set by the government, which could retard the advancement of security technology by competitive industry.
The vast amount of money which has been contributed to Congress by companies who may benefit from this type of legislation is also of concern. Defense contractors, cable & satellite TV production/distribution, computer software, cellular systems equipment, and online computer services companies contributed more than $31 million to the House of Representatives from the fiscal years 2009 to 2011. AT&T alone is responsible for more than $24.5 million in contributions to Congress during that time period.
Proponents of CISPA, the Cybersecurity Act of 2012, and other cybersecurity legislation have been quick to gloss over the privacy concerns related to these bills, citing the ever-increasing terror threats to cybersecurity. The most recent of these, an al-Qaeda video calling for an “electronic jihad”, has provided more fuel for the arguments behind this legislation.
While there has been an exponential increase in cyber attacks in recent years, opponents of the current bills have called for more transparency in the creation of such legislation and for the inclusion of more privacy advocates and security professionals when creating laws that have the potential to affect the privacy of millions. One such opponent, Electronic Frontier Foundation (EFF) has called on voters to put pressure upon their elected officials ahead of proposed voting in early June, citing the need for more citizen involvement in the drafting of any cybersecurity legislation.