The bill is expected to resemble 2014’s CISA (Cybersecurity Information Sharing Act), which critics say was just a warmed over version of CISPA (Cyber Intelligence Sharing and Protection Act), which in turn was opposed for being too much like SOPA (Stop Online Piracy Act).
The stated intent of all these failed bills has been to facilitate the sharing of online information between private companies and the government in order to combat cyber security threats by providing companies with certain protections against liability for sharing information.
The senators likely responsible for this latest draft are Republican Richard Burr of North Carolina and Democrat Diane Feinstein of California, The Hill reports.
Several high-profile cyber attacks in recent months — like that against Sony Pictures — are ramping up pressure to strengthen cyber defenses.
"There’s only one way to defend America from these cyber threats, and that is through government and industry working together, sharing appropriate information as true partners," President Obama said at the White House Summit on Cybersecurity and Consumer Protection on Feb. 13 where he announced an executive order to promote information sharing.
Second Verse, Same as the First
But opposition to all these initiatives from online privacy advocates and civil liberties groups has been fierce, as they cite more or less the same problems with each new version of the legislation.
The most recent attempt, CISA — which the Electronic Frontier Foundation called a “Zombie Bill” — was introduced to the Senate in July 2014 but never made it out. For the fourth time in as many years congress had failed to pass cyber security legislation over objections similar to those faced by CISPA as it moved through the house in 2013.
“[The cybersecurity bills] always seem to come with broad immunity clauses for companies, vague definitions, and aggressive spying powers,” the EFF wrote about CISA. “Given such calculated violence to users' privacy rights, it’s no surprise that these bills fail every year.”
— Robyn Greene (@Robyn_Greene) February 19, 2015
As with previous bills, one of the main concerns from opponents was that CISA allowed the government to collect vast amounts of personal information without a warrant by going directly to companies and getting the information from them. Meanwhile, companies were let off the hook for handing data over.
“While we hope many companies would jealously guard their customers' information, there is a provision in the bill that would excuse sharers from any liability if they act in "good faith" that the sharing was lawful,” the American Civil Liberties Union wrote about CISA.
— Amie Stepanovich (@astepanovich) July 15, 2014
Vague definitions also raised red flags. What constituted a “cybersecurity threat” for example, could, as many advocacy groups pointed out at the time, put whistleblowers at risk while trying to expose information their bosses want under wraps. Or it “could be read by companies to permit attacks on machines that unwittingly contribute to network congestion,” according to the EFF.
The role of the NSA looms large amid privacy concerns and CISA floundered in part because Congress failed to pass NSA reform legislation that would satisfy those who feared the agency would end up with easy access to the all personal data swept up in the name of cybersecurity.
The NSA connection could still be a concern, since the fate of many of the most controversial programs is up in the air as the June 1st expiration date for many key PATRIOT Act provisions nears.
New Bills Not as Offensive to Industry’s Top Players
Opposition to SOPA, which had a different focus than later bills, was more widespread than the more recent incarnations of cyber security bills. SOPA — and the related PIPA (Protect IP Act) were aimed at fighting piracy by going after websites that dealt in counterfeit goods. There were similar concerns about overly broad definitions, immunity from liability and the collection of personal data.
But SOPA and PIPA posed a threat not only to individual users’ privacy, but also to major tech companies and websites who feared their sites could be shut down — meaning the loss of a lot of business. This broad opposition is why so many major companies participated in a successful protest — blacking out their websites in January 2012 — to raise awareness among the public.
With CISPA and CISA however, a lot of that high-powered tech industry protest has been muted. While hundreds of websites took part in a blackout protest in April 2013 against CISPA, big names like AT&T, IBM and Verizon supported the bill.
Google was on board and Facebook released a statement saying “if the government learns of an intrusion or other attack, the more it can share about that attack with private companies (and the faster it can share the information), the better the protection for users and our systems.”
— Auto (@AnonAutopsy) January 15, 2015