CISPA Returns: Cyber Week 2013 on the Hill
Although we continue to move forward with business, we do ask that you pause momentarily in remembrance of those lost or injured in yesterday’s senseless act of violence in Boston. Our thoughts and prayers go out to all affected families and friends.
This week has been dubbed “cyber week” on Capitol Hill. Lawmakers have a lot of work ahead of them, given several recent detailed reports of worsening cybercriminal activity (with Mandiant, Trend Micro, and McAfee as exemplars) and attacks on various internet resources used to help battle cybercriminals (including the takedown of Spamhaus). Clearly, no shortage exists of reasons why at least basic cyber legislation is needed, but the path to get there won’t necessarily be straightforward. Despite the general consensus that our nation needs to address somewhat outdated cyber laws and enact new laws to address the growing cyber threat, there are philosophically different approaches that keep most bills from garnering any kind of bipartisan consensus.
On the House side, two of the most controversial matters involve (1) the still-not-yet-passed Cyber Intelligence Sharing and Protection Act (“CISPA”) and (2) a set of potential amendments to the Computer Fraud and Abuse Act (“CFAA”). CISPA, which was introduced last year by Rep. Rogers and Rep. Ruppersberger, attempts to get rid of unnecessary obstacles that would otherwise prevent companies from sharing cyber threat information with the U.S. government. CISPA has gained a reasonable level of support from a wide range of industry stakeholders, including telecomm, financial services, technology, and healthcare companies. Perceived problems with privacy protections involving personal data and potential flow of such information to the intelligence community, however, had previously derailed its progress. It passed the House last spring but did not get taken up by the Senate. Further, the White House had threatened to veto CISPA in the past even before it was taken up on the House floor, saying that privacy concerns and failure to address security gaps in critical infrastructure forced the need for a veto. An updated version passed out of committee last Wednesday with a decisive 18-2 vote. It likely will come to the House floor this week. In the kick off of cyber week activities and possible votes, The Hill reports that 200 IBM executives will be visiting Capitol Hill to show their support for the passage of CISPA. Similarly, the TechNet trade group (which counts Apple, Cisco, Dell, Google, Microsoft, and Yahoo among its participants) has sent a letter to Rep. Rogers and Rep. Ruppersberger commending their work on CISPA.
Moving on to the CFAA, the House Judiciary Committee recently put forth a draft proposal that would make some interesting changes. Some commentators point out quite a bit of irony in the proposals. Whereas the prosecution and death of Aaron Swarz led to cries for significant curtailing of the CFAA, the House Judiciary draft actually seeks expansion of some of the penalties. For example, section (a)(4) of the CFAA (“knowingly accessing a computer without authorization”) currently carries a maximum sentence of five years for each violation. The new proposal would increase that to twenty years each. In addition, the proposal clarifies the meaning of “exceeds authorized access” by including the notion of “accessing information for an ‘impermissible purpose.’” This presumably would preserve the ability for law enforcement to go after those engaged in online criminal behavior without the fear that they would lose the CFAA as a tool as a result of the argument that terms-of-use violations deserve blanket “protection” from CFAA purview.
Other House action includes the introduction of two Cybersecurity R&D bills by the House Homeland Security Committee. According to sources, these will have an information sharing component and will bolster DHS authorities in the cybersecurity area.
On the Senate side, things are tracking a bit more slowly. In ECPA reform action, a warrant will be needed to search emails according to new Senate bill introduced by Sen Leahy (D-Vt) and Sen Mike Lee (R-Utah). Under the Electronic Communications Privacy Act Amendments Act of 2013, the government must promptly notify someone if private online information has been accessed, though a court order can be obtained to delay notification to protect an ongoing investigation.
It’s going to be fun to watch the positioning and sparring (depending on your definition of fun). For example, several commentators are already saying that CISPA, “stripped of its privacy protections” will be heading to the House for a vote. I wonder if anyone will come forward to defend it with a tag-line of “CISPA protects you by providing access to information needed by the intelligence community and law enforcement.” Somehow, I doubt it (even if it is true). In any event, many people had high hopes in the past that cyber legislation would pass and disappointment reigned when nothing actually made it. This year could be no different. If nothing else, however, the anticipation seems just a bit higher.