Reviewing the CISPA

On November 30, 2011, the CISPA (Cyber Intelligence Sharing and Protection Act) was proposed to the House by Representative Michael Rogers (R-MI). While it’s been distanced from the wildly controversial SOPA (Stop Online Piracy Act), the CISPA still stands to provide the US government many new options and resources to enforce copyrights and patents, and protect networks against attacks. While it’s since been revised, the CISPA still represents a fairly controversial piece of legislation, one which has been roundly criticized by the privacy rights community.

What is the CISPA?

The CISPA is an amendment to the National Security Act of 1947 that would ultimately allow the US government and businesses to share information about cyberattacks more freely. The government would be able to share with businesses what it knows about security threats. Businesses would also be able to share the information they have with the US government, although doing so would not be deemed mandatory.

This would result in significantly greater sharing of threat details with private companies in the intelligence community. Under the CISPA, private companies would only be permitted to use this information to protect themselves (but not to gain competitive advantage). In doing so, they would be protected from lawsuits, as the information shared under CISPA would be considered exempt from public disclosure.

Some concerning excerpts from the CISPA include:

“Notwithstanding any other provision of law, a self-protected entity may, for cybersecurity purposes – (i) use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and (ii) share such cyber threat information with any other entity, including the federal government.”

The CISPA defines a “self-protected entity” as “an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.”

According to the Washington DC-based Center for Democracy & Technology (CDT),

“CISPA… would allow companies to monitor private email, Internet Searches, and other online activity and then share information with the government under an excessively broad definition of a cyber threat. Under CISPA, the government could do almost anything with this information, including using it for purposes not related to cybersecurity. The information could go directly to the National Security Agency, a military agency that operates secretly and with little public accountability.”

A significant difference between CISPA and its controversial predecessor, SOPA, is that the web blocking bill was defeated by a strong alliance of Internet companies and millions of disapproving users. However, CISPA is supported by highly visible companies such as Facebook, Microsoft, Oracle, Symantec, Verizon, AT&T, Intel and trade association CTIA, which includes representatives of T-Mobile, Sybase, Nokia and Qualcomm as its board members.

Critics are Saying…

Privacy advocacy groups, including the American Library Association, the Electronic Frontier Foundation (EFF), and TechFreedom, launched a Stop Cyber Spying campaign on April 16, 2012. The bill has – unsurprisingly – drawn the attention of the group Anonymous. A letter sent in April by over two dozen organizations (including the Republican Liberty Caucus), calls for a “no” vote on the CISPA, and over 669,000 people have even signed an anti-CISPA web petition.

American Civil Liberties Union (ACLU) Legislative counsel Michelle Richardson argued that the legislation is so broad that the National Security Agency could still vacuum up “… all sorts of sensitive information like Internet use information and the contents of emails.”

According to Lee Tien, an EFF attorney, if the CISPA were enacted, “part of the problem is we don’t know exactly what’s going to happen. I worry that you can get a version of cybersecurity warrantless wiretapping out of this.”

It’s clear that many civil rights groups have spoken out against the CISPA. There are five main privacy-related concerns that have been raised:

  1. Widespread employee monitoring
  2. No information-sharing restrictions
  3. Information may be shared with the National Security Agency
  4. Bill may encourage broad surveillance
  5. CISPA alternatives do exist

Changes proposed, to no avail

In response to privacy rights defenders, lawmakers began proposing changes. According to privacy watchdogs, these changes are not enough and ultimately would still permit Internet service providers to hand over confidential customer records and communications to the National Security Agency.

Critics point out that the CISPA’s proposed changes do nothing to respond to their concerns. None of the amendments or changes narrows down the definition of a cyberattack. They also do not place any restrictions on the kinds of information that may be shared.

However, the proposed changes do increase liability for the government and restrictions for businesses. One proposed amendment would render the government liable for monetary damages if it willfully misuses shared information. Another proposed amendment prohibits businesses from sharing cyber threat information with outside entities, other than specifically approved businesses and government agencies. Finally, a couple of amendments that were approved in mid-April call for an annual review of information sharing and prohibit companies from making quid pro quo deals with the government, where they only get information if they will share back.


This article takes a look at the proposed CISPA (the Cyber Intelligence Sharing and Protection Act), which stands to give private companies new ways of sharing information on cyber threats with the US government, and vice versa. Like the SOPA (Stop Online Piracy Act), the CISPA has drawn a lot of criticism from the privacy rights community and internet activists alike. However, it is supported by an alliance of highly visible and influential Internet companies (e.g. Facebook, Microsoft, Symantec, Oracle, AT&T, etc.). Although changes and amendments to the CISPA have been proposed since its introduction, critics maintain that this does nothing to protect the privacy of users.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam and the Certification Foundation Course and Exam (Foundations), a privacy professional should be comfortable with topics related to this post, including:

  • Privacy responsibility framework (CIPP/IT; II.B.)
  • Combating threats and exploits (CIPP/IT; III.E.b.)
  • Privacy and data protection regulation – United States (Foundations; I.D.b.)
  • Threats to online privacy (Foundations III.B.b.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>