We've heard plenty of civil liberties advocates object to
the Cybersecurity Intelligence Sharing and Protection Act (CISPA), claiming the
privacy rights. However, one group opposed to the act argues that it
actually allows businesses to commit the very behavior it aims to curb -- that
is, it allows them to hack the computers of anyone they believe is hacking them.
"CISPA says that a company gets immunity for any decisions
made based on cyber-threat information that they receive under the bill and
based on cyber-threat information that they identify and obtain using cybersecurity
systems," Greg Nojeim of the Center for Democracy and Technology told reporters
in Washington this morning.
This is where Nojeim worries that the bill could permit an
increase in hacking.
"What if one's decision in response to the receipt of cyber-threat
information from someone you think is a bad guy is to render the sending
computer inoperative?" asked Nojeim. "That's certainly within the scope of the
legislation and would be completely immunized."
As Nojeim and his colleagues at CDT read it, CISPA could
allow businesses that think they had discovered a hacker to hit back or, hack
back, against malicious actors in cyberspace -- an action frequently referred to as active
defense. (Yours truly has heard this topic debated plenty of times between
lawyers who are against it and businesses who want to be able to defend themselves
aggressively in cyberspace.)
CDT wants the bill's language tweaked to prohibit this
"What the bill does not say is, in looking for cyber threat
information you can examine only your own network," said Nojeim. "If you think
the cyber threat information is on somebody else's computer or on somebody
else's network, you have authority, notwithstanding any law, to go get it . . .
and immunity when you do."
Killer Apps reached out to one of the bill's sponsors, House
intelligence committee chairman Mike Rogers, and one of his committee staffers
told us that authorizing companies to strike back at hackers "was not the
chairman's intent." Rogers "intends to address this issue in committee markup"
by adding language specifying that the bill does not authorize businesses to break into other people's networks.
Rogers and the bill's co-sponsor, Rep. Dutch Ruppersburger,
have insisted that they are working
with the White House, privacy advocates, and businesses to address their
"We want to make sure that we meet the level of privacy
concerns, and we think we can do that by working in some very direct language
that expresses, in language, what we believe the bill already does but we want
to reiterate that," said Rogers last week when
announcing that the bill will come up for a committee vote this month.
As it's currently written, the bill specifically says that
businesses can receive immunity from prosecution "for using cybersecurity
systems to identify or obtain cyber threat information or for sharing such
information in accordance with this section; or for decisions made based on
cyber threat information identified, obtained or shared under this section."
"That authorizes hacking that would otherwise be a crime
under current law, it authorizes cybersecurity criminal acts that are described
in this very bill," he added. "The last place one would think you would find
new authority to hack would be in cybersecurity legislation, but there it is."
Here's what Rogers
said in December when asked how he felt about private entities fighting
back against hackers.
"It's best not to go punch your neighbor in the
face before you hit the weight room," said Rogers, in a warning to both
public and private sector actors that are considering offensive actions to
defend their networks under the growing trend of "active defense."
Government organizations and businesses are still
figuring out the best way to defend themselves from advanced cyber threats.
But, said Rogers, "until we have figured out how we will defend ourselves
and our networks, I would be very, very, very cautious about using an offensive
The lawmaker, speaking at an event at The George
Washington University, added: "Now, you can't do a good defense if you
don't develop the capability for offense...so I completely agree with [building
offensive power]. I'm just very concerned about engaging [in offense] before we
have the ability to defend ourselves because, guess what, something's coming
back" to hit us.