CISPA Primer

The Cyber Intelligence Sharing and Protection Act (CISPA) is a piece of legislation designed to thwart cyber criminals by allowing corporations to share data about users with the government. It's not yet law, but it has been introduced three times since 2011, and is still under consideration.

CISPA is essentially an upgrade to the 1974 National Security Act, and it aims to empower the government to acquire cyber threat intelligence. While CISPA is widely supported by corporations, it has been hit with criticism from privacy and civil liberties organizations.

CISPA also spawned a related bill, the Cybersecurity Information Sharing Act of 2015 (CISA). CISA has been referred to as a "zombie" version of the original CISPA bill, and has now been signed into law.

The Pros and Cons of CISPA

CISPA was designed to protect against two main outcomes: information security breaches, and cyber security threats. It proposed a mechanism where private companies would be allowed to share data with the government, in an effort to highlight suspicious activity, or communications that could indicate threats.

The bill would give the US government the power to monitor the use of networks and services, as well as allowing data sharing to prevent crime and threats to children. Importantly, CISPA would also allow the government, and the National Security Agency (NSA), to monitor private communications that take place online. That data could be accessed without a warrant.

The bill has been amended several times. One addition includes the provision for penalties if the government or corporations misuse data for any purpose other than fighting cyber crime. But the Electronic Frontier Foundation is one of many organizations that believe CISPA will open the door to infringing civil liberties, and they say that the amendments don't go far enough.

CISPA was supported by more than 800 companies, represented by an array of trade organizations. These include Verizon, IBM, Microsoft, and Intel, as well as the United States Chamber of Commerce. Google has offered limited support, but it says that CISPA needs more work before it should be implemented. Opponents to CISPA include the Electronic Frontier Foundation and the American Civil Liberties Union, as well as businesses like Apple and Twitter.

CISPA and CISA

Privacy campaigners say that CISA gives corporations and governments near-identical powers as CISPA; both would protect companies that handed over personal data about cyber threats.

However, under CISPA, the NSA would handle the data. Under CISA, it is managed by the Department of Homeland Security. However, the bill grants the same immunity to companies that actually share that data. And the data could still be passed — uncensored — to the NSA, as well as the FBI.

CISA was brought into law in December 2015 as part of a much bigger piece of funding legislation. Critics say that this was a way to bring CISA into law without further debate, simultaneously bypassing the President's right to veto it.

Implications for Non-US Citizens

Like many US laws, CISA may affect citizens of other countries too. CISA could result in non-US citizens being prosecuted under US law, if they are thought to be involved with a cyber crime that affects a company based in the US.

In a Guardian article, the given example is a French hacker who compromises a Spanish person's MasterCard account. That could result in the French hacker being jailed in the USA.

In practice, many countries have similar legislation already. For example, the United Kingdom has its own Cyber Security Information Sharing Partnership, which has a similar purpose.

CISPA Timeline

  • November 2011: CISPA (H.R.3523) introduced by Representative Michael Rogers.
  • April 2012: Stop Cyber Spying Week commenced on social media, led by the Electronic Frontier Foundation.
  • April 2012: CISPA passed by the US House of Representatives for vote: 248 in favor, 168 against, and 15 abstentions. Not passed by US Senate in the same session. President Barack Obama's advisers suggested that he would veto it.
  • February 2013: CISPA re-introduced as H.R.624.
  • April 2013: CISPA passed by the House of Representatives a second time. It received 288 votes in favor, 127 against, and 17 abstentions. Senate refused to vote.
  • April 2013: hacking group Anonymous staged Internet Blackout Day in protest, joined by around 900 websites.
  • July 2014: Cybersecurity Information Sharing Act (CISA) introduced in the Senate as S.2588.
  • January 2015: CISPA introduced again to the House as H.R.234 by Dutch Ruppersberger. It is referred to Committee on Intelligence.
  • February 2015: CISPA is referred to the Subcommittee on Crime, Terrorism, Homeland Security, and Investigations, and the Subcommittee on Constitution and Civil Justice, to see if it will come to the House for a vote.
  • March 2015: CISA reintroduced in the Senate as S.754.
  • July 2015: the Department of Homeland Security warns that it may be overwhelmed with data that it cannot manage as a result of CISA.
  • August 2015: the White House indicates that it will support the "zombie" bill CISA.
  • October 2015: CISA is passed by the Senate.
  • October 2015: Edward Snowden dubs CISA a "surveillance bill."
  • December 2015: CISA is signed into law by President Obama.

Resources


Further Reading and Resources

We have more guides, tutorials, and infographics related to privacy and security:

The World Wide Web & Internet Privacy

Check out our infographic, The World Wide Web & Internet Privacy.