On Dec. 1st, 2011, Jonathan Allen reported for Politico on how the Cyber Intelligence Sharing and Protection Act (CISPA) blew through the House Intelligence Committee with a 17-1 vote. The article noted that Rep. Mike Rogers and Rep. Dutch Ruppersberger had to agree to language changes that would calm more liberal Democrats and civil liberties advocates. These changes amounted to adjusting the bill's language so that "only information pertaining to cybersecurity and national security could be used" as opposed to private citizen's information. With Democrat support, Rep. Rogers and Rep. Ruppersberger hope for floor time as early as January and speedy House passage.
Again, CISPA is basically an information sharing initiative that allows for the government and private companies to share information about cyberattacks. The article notes that private companies would "participate on a voluntary basis and receive significant liability protection in return."
The source article can be found here.
***
Pam Benson also reported for CNN on CISPA. Benson quoted cyber expert James Lewis, director of the Technology and Public Policy Program at the Center for Strategic and International Studies, as saying that CISPA is a gamble because of its voluntary nature. Lewis went on to say "We need to remove the legal impediments, but whether the next step follows automatically, that the companies do what needs to be done without any further encouragement, it's a test."
***
I finally got a hold of the text of CISPA, which can also be found here in PDF.
Big points:
- The Director of National Intelligence would establish procedures to allow the US Intel community to share cyber threat intelligence with private entities, and vice-versa, for national security purposes. These private entities have to be "certified", and they have to use that threat intelligence in a way that prevents unauthorized disclosure.
- It looks like a private company becomes certified by demonstrating to the Director of National Intelligence that they can hold a security clearance and protect the intelligence.
- Cybersecurity providers (which I read to mean cybersecurity companies like McAfee, Symantec, etc.) may obtain cyber threat information and share it with other protected entities and the US government.
- Finally, any protected entity shall be exempted from both civil and criminal liability if they choose to share information with the government.
I don't know if this is the updated copy of the bill. Thomas says that the bill I posted is still in committee, so it may not reflect the updated language. Regardless, most of the provisions would remain the same. I'll post an updated bill if it comes along.
Leave a Reply