As my readers may remember, I opposed the SOPA/PIPA legislative acts and participated in the blackout on January 18th to protest them. A new bill, the Cyber Intelligence Sharing and Protection Act (CISPA) has now passed the U.S. House of Representatives. The bill was proposed by Mike Rodgers (R-MI) and is co-sponsored by Dutch Ruppersberger (D-MD), and they are now looking for support in the U.S. Senate to pass a similar bill. Many advocacy groups (e.g., ACLU, EFF) have criticized CISPA, and the vote for it in the House was very partisan (Republicans generally supported it, and Democrats generally opposed it). I just heard a defense of the bill by Representative Ruppersberger at the First Annual Cybersecurity Symposium hosted by the Maryland Cybersecurity Center, and I’d like to share a few thoughts.
It seems to me that CISPA is a great deal more limited in intent than SOPA/PIPA. There are no direct references to piracy or site-blocking. In theory, it addresses a very specific problem: the inability for government agencies in the intelligence community (CIA, DOD, DHS, NSA, etc.) to easily hand off security data to private companies in dealing with online security issues. For instance, an agency may discover a new type of computer virus and want to transmit the virus’s signature to an ISP for filtering. I don’t really see a problem with this.
I do have an issue with the vague language of the bill. Terms like “cybersecurity” are used and their definitions are either vague or extremely broad. In particular, I find the “notwithstanding any other provision of law” clauses in Sections 2.b.1.A and 2.b.1.B to be extremely dangerous. My understanding is that this essentially allows this law to override *any* other restriction on information sharing. This provides a level of immunity for such information sharing that I think is unwarranted, and I don’t think it’s necessary for this clause to be present in the bill.
Thus, I feel I must oppose the bill as written, not because I disagree with the fundamental goal but because I feel the specific language is too broad. I realize that all legislation regarding security issues must be inherently vague to some extent, but I believe this legislation is just over the limit of what is reasonable. If the “notwithstanding” phrases were removed I could probably support it, but there may be other clauses that need restriction as well.