Have you heard about CISPA? It’s the acronym for the Cyber Intelligence Sharing and Protection Act.
CISPA is being likened to the now-moribund SOPA and PIPA bills smothered by Congress after widespread public opposition.
However, only opponents see similarities. Advocates see it as completely different.
While SOPA and PIPA were about shutting down US web sites serving as the “tubes” through which suspected pirated intellectual property flowed, CISPA is about private companies sharing data in both directions with US government agencies, including Pentagon spy agencies like the National Security Agency (NSA).
Opponents of CISPA, however, see similarities because they say that once again the government is trying to give itself too many easily abused powers to violate the constitutional rights of Americans. In this case, potentially violating the Fourth Amendment (unreasonable searches and seizures) rather than the First (abridging the freedom of speech).
Major opponents include the Electronic Frontier Foundation, which has a detailed FAQ about the bill on their web site.
CISPA came out of committee in December, and is being changed to address some of the concerns of opponents before it’s formally debated or voted upon sometime in the future.
Why the Government Wants CISPA
You can read a hundred articles about CISPA and not get a straight answer about the threat it attempts to address, so I’ll do that here. Chinese hackers are hacking American companies blind.
Private companies, hackers for hire and probably some elements of the Chinese government have perfected the art of hacking for the purpose of industrial espionage -- stealing the trade secrets of foreign companies and then selling or giving them to Chinese companies.
Other countries, including Russia, also have strong industrial espionage programs that are probably state-sponsored. But nobody does it like China.
Congressman Michael Rogers, a sponsor of CISPA, said this week that he’s “never seen something grow more exponentially serious than China's capabilities in cyber espionage... It is so prolific—it's breathtaking. In the last year, China has stolen so much intellectual property that it would be considered 50 times the print collection of the United States Library of Congress.”
The problem of Chinese industrial espionage may be considered the most likely issue that could draw China and the United States into an actual, full-blown war.
The Guardian newspaper this week revealed that the Pentagon and the Chinese military establishment have been cooperating on a series of “war games” as a way to prevent future war between the two countries.
The “war games” basic scenario is one in which each side launches a Stuxnet-type virus attack against the other, and explores how each would respond to such an attack.
According to the article, “The need for the meetings has been underlined in recent months as the US and the UK have tried to increase pressure on China, which they regard as chiefly responsible for the theft of billions of dollars of plans and intellectual property from defense manufacturers, government departments, and private companies at the heart of America's national infrastructure.”
OK, So Why CISPA?
When a malicious hacker attacks a network, he gets access to some part of a system, looking for targets, vulnerabilities and additional information that will enable him to gain access to other parts of the system.
In the case of industrial espionage, the home run is to steal intellectual property in the form of source code, internal communications and all kinds of business information that might help another company outbid, negotiate and generally defeat competitors in the marketplace.
A good hacker tries to cover his tracks, erasing data from log files and removing evidence that he gained access.
To counter such an attack, it’s vital that the security team itself have access to the same network in order to search for clues that the system was compromised, and to figure out how the break-in was accomplished.
No network is an island, so it also helps to have access to the technical details from the manufacturers of the network and security equipment and software, and in some cases to be able to spy on the alleged hacker -- read his emails, that sort of thing.
Here’s the problem in a nutshell: China has access to US corporations’ networks, but the US government does not, at least not legally.
Because Chinese industrial espionage is considered a threat to national security, the US government believes it needs information about the same US networks that Chinese hackers have accessed in order to discover the means of access, figure out a solution, then share that solution with other US companies so they won’t be so easily compromised.
I don’t believe for a second that the NSA or any other spy organization would hesitate to itself break into US companies’ networks to shut down Chinese hackers. But stopping industrial espionage would be a lot quicker and easier with the general cooperation of US law and also the companies involved.
CISPA would authorize the Department of Homeland Security, the NSA and other US government organizations to share intelligence about hack attacks with private US companies, and enable the companies to share information about break-ins with the government without fear of being sued by users.
Google’s support for CISPA would be unsurprising, given that the company reportedly sought help from the NSA when its networks were attacked by Chinese hackers in December of 2009.
The reason many companies will support CISPA is that they want more protection from industrial espionage attacks, and also want more legal protections when they cooperate with the government.
The problem is that, despite significant changes made to the language of the bill in recent days, it still provides a loophole in existing privacy laws, and enables companies to share user data with government agencies in a less-than-transparent way.
Privacy advocates want clear definitions of what kind of information can be shared, as well as controls and limits on how that information is used.
Many are calling for SOPA- and PIPA-style boycotts and protest action. But I don’t see that happening.
The reason is that, unlike in those cases, key companies really want some version of CISPA passed into law.
The privacy advocates and concerned citizens who want CISPA killed outright will not find a lot of powerful allies in this fight like they did with SOPA and PIPA.
I think the most likely outcome is that the bill will be softened further, debated then passed into law.
The debate on CISPA will probably grow more heated in the weeks to come. And although you’re going to see few companies boldly voicing support (cowed by the reaction of the public to companies that publicly supported SOPA), you’re also not going to see a lot of companies voicing opposition, either.
With the government strongly in favor of CISPA, US industry quietly in favor and the general public ambivalent, I’m afraid the privacy advocates are nearly alone on this one.
The best they can hope for is to get as many changes to the bill as they can before it passes, which I believe it will.