As expected, CISPA 2.0 passed the House of Representatives yesterday and the various privacy protections sought through amendments were dropped. Although much has and will continue to be written about the merits (or lack thereof) of the bill -- especially its infamous "notwithstanding any other provision of law" clause -- I think this also provides opportunity to comment more generally upon the nature of modern American lawmaking pertaining to cybersecurity.
Interestingly, in discussing CISPA 2.0 with a prominent colleague in the cybersecurity industry, he lamented that the fault for CISPA-like legislation is theirs (the IT and cybersecurity profession) for failing to achieve their goals of building, sustaining, and administering a secure digital infrastructure, thus forcing Congress to intervene with a broad and likely ineffective sledgehammer solution when a scalpel is required. His sentiment echoes my own views on CISPA 2.0 from February 2013 that can be found here.
Now, let's return to CISPA 2.0...
Back in 2006, former Senator Ted Stevens' confident assertion that the Internet is a "series of tubes" (full & highly-entertaining audio) provided a viral portrayal of how out-of-touch many lawmakers are on matters of technology and the Internet. In 2013, CISPA 2.0 co-sponsor Congressman Mike Rogers' comment about "14-year-old tweeters in the basement" being the primary opponents of the law likewise suggests an ignorance of Internet realities and provided its own viral-media phenomenon in the week before CISPA 2.0's vote in the House. Rogers apparently chose to forget that those who tweet are not just angsty teenagers but people using contemporary forms of mass communication to ... communicate! Even the normally slow-to-act Securities and Exchange Commission (SEC) now recognises social media services (including Twitter) as an 'approved' method of disclosing certain types of corporate information in an era of constantly-changing pervasive communication methods. But because citizens of all ages took to this new medium called 'Twitter' to express their concerns over CISPA 2.0, Rogers preferred to characterise them all as ignorable adolescent basement-dwellers. Would he say that if the Twitterverse was praising his proposal? I think not.
Sadly, we see legislators professing the universality of their views both about the underlying issue itself[1] and in the support for (or opposition to) their desired solutions: in Rogers' case, he believed the majority of CISPA opposition came from teenage basement-dwellers and also boasted about how he was "unable to find a single United States company" opposing the reintroduced proposal -- which in reality was not true at all. There must be an institutional amnesia in Congress regarding the vocal opposition to CISPA and other controversial Internet-related legislative proposals last year -- don't they remember SOPA, PIPA, and yes, CISPA 1.0?
However, in legislative parlance, Rogers makes a factual statement and employs a classic Congressional tactic: if you don't look for something, you're probably not going to find it. And if you are deaf to opposing views, then you're probably not going to hear them, either. Then again, if you have deep-pocketed industry groups and former Congressional staffers giving you 'advice' on legislative issues....anything is possible, right? Unfortunately, this all helps develop and/or shape a misguided understanding of reality.
When dismissing renewed concerns over privacy in CISPA 2.0, Rogers notes that the proposed law "does something very simple: it allows the government to share zeroes and ones with the private sector.” Yet as pointed out elsewhere, Rogers can't keep his story straight about which government agencies might obtain access to those "zeroes and ones" collected and exchanged under CISPA 2.0! As we've seen with TSA watchlists, national security letters, and other Kafkaesque 'post-9/11' security "tools" (some of which are classified or subject to the questionable practice of secret interpretations) it's very hard to trust the government (or anyone) to do the right thing when it won't let you see what it's doing....or even knows what it's doing itself, for that matter.
This suggests that a significant problem facing the country in terms of cybersecurity lawmaking isn't necessarily the threat of Chinese hackers, Russian crime syndicates, or Nigerian scammers. Rather, it is the sense by Congress that it can create its own parochial and absolute version of reality as the basis for developing Internet and technology policy.
As such, it is not surprising to see many in Congress preaching "trust us" as an acceptable defense for flawed or controversial legislation such as CISPA 2.0. In his view of the world, Rogers believes there never will be a reason or opportunity for CISPA 2.0's provisions to be violated, abused, extended, or circumvented -- and thus no need to codify that "spirit of the law" and reassure privacy advocates as a sign of good faith. News.Com's Declan McCullagh chronicles the valiant last-moment attempts to add more clarity to Rogers' legislative absolutism, all of which were defeated soundly:
- Limiting the sharing of private sector data to civilian agencies, and specifically excluding the NSA and the Defense Department. (Failed by a 4-14 vote.)
- Directing the president to create a high-level privacy post that would oversee "the retention, use, and disclosure of communications, records, system traffic, or other information" acquired by the federal government. It would also include "requirements to safeguard communications" with personal information about Americans. (Failed by a 3-16 vote.)
- Eliminating vague language that grants complete civil and criminal liability to companies that "obtain" information about vulnerabilities or security flaws and make "decisions" based on that information. (Failed by a 4-16 vote.)
- Requiring that companies sharing confidential data "make reasonable efforts" to delete "information that can be used to identify" individual Americans. (Failed by a 4-16 vote.)
Therefore, why should we view this bill favourably when its own sponsors refuse to acknowledge the potential that its provisions might be abused and/or take very modest steps to prevent such abuses? This is not without precedent: one only has to look at the Orwellian-named "PATRIOT" Act to see the Department of Justice's own internal reviews documented repeated instances where provisions of that controversial law were used by the FBI for reasons far beyond their intended and declared purposes. Why should we accept CISPA 2.0 with any less scepticism? As the saying goes, history may not repeat, but it sure does rhyme.
Of course, my strongest concern with CISPA 2.0 remains with its ‘notwithstanding any other law’ language that effectively overrides any and all other existing legal and regulatory frameworks. Clearly, this can adversely impact things like privacy, corporate or government accountability, free markets, contributing to an informed democratic citizenry, ensuring Internet users are knowledgeable (or empowered) about the products and services they use. But again, such concerns are without merit in the eyes of the bill's proud sponsors, because in their view, CISPA 2.0's provisions would never, ever be used for such purposes. Just trust them - because that's what they believe to be an absolute truth and reflection of reality.
Rather than fight for CISPA 2.0, Congress - and the American people - would be better served by a thorough and well-informed (i.e., objective) re-examination of our existing Internet, communications, cybersecurity and information-sharing laws and updating them for the modern day. That will be a far more efficient undertaking and likely lead to more meaningful, privacy-aware legislative initiatives than ideas like CISPA 2.0, which offers little real improvements for cybersecurity but provides significant potential for controversy and abuse.
Although CISPA 2.0 passed the House 288-127 yesterday, it remains unclear whether the Senate will endorse it as-is or if the Obama administration will carry though on its declaration to veto it on privacy concerns. With the veto threat in-place, perhaps the Senate will be comfortable letting CISPA 2.0 wither and die on the legislative vine. In doing so, it will defend the privacy rights of American citizens and demonstrate its committment to appropriately balanced legislation that produces meaningful and effective cybersecurity outcomes.
[1] Frequently based on information made available only to cleared members of a Congressional committee but which cannot be disclosed publicly. How convenient.
* * * * *
Edit: Rep. Mike McCaul (R-TX) had the audacity to subconsciously link the Boston bombings to cybersecurity and CISPA 2.0, saying that while Boston had "real bombs" CISPA 2.0 was helping defend against "digital bombs." Shameless!