The Forever Virus
A Strategy for the Long Fight Against COVID-19
SHARING: THE RIGHT CYBERSTRATEGY
Every day, U.S. businesses are the targets of cyber-espionage operations sponsored by countries such as China and Russia. The cost is significant: Every year, U.S. industry suffers huge losses of valuable research and development data and other sensitive information (not to mention the increased costs associated with securing data). Estimates are hard to come by, but numbers in academic literature range from $2 billion to $400 billion per year. Just as important, many of the same techniques can be used to attack the critical infrastructure U.S. citizens depend on daily. Too often, these attacks are successful because of a key and completely unnecessary vulnerability: legal and policy barriers that prevent U.S. companies from sharing information with one another and with the government about attacks.
Without real-time information sharing, U.S. companies cannot adapt and respond to cyberattackers' constantly changing tactics. Legal and policy restrictions also prevent the government from sharing the classified information it has collected overseas about state-sponsored cyberattackers that would help companies ramp up their defenses.
The good news is that there is a broad bipartisan consensus today on how to move forward. Both houses of the U.S. Congress have debated about how to tear down these barriers without sacrificing citizens' privacy and civil liberties. The result is the Cyber Intelligence Sharing and Protection Act, or CISPA, which passed the House with a strong bipartisan vote of 248-168 in late April and now awaits consideration in the Senate.
So it was disappointing to read Rebecca MacKinnon's essay, "A Clunky Cyberstrategy," in the pages of Foreign Affairs last month. Her argument -- that cybersecurity information sharing somehow undermines Internet freedom -- misses the mark completely, as it injects unrelated issues into the debate on how to best protect our nation's cybersecurity while ensuring full and robust protection of privacy and civil liberties. Although there is no question that the United States should be (and, in fact, is) working to promote Internet freedom worldwide, the essay is riddled with misrepresentations and inaccuracies about CISPA. The bill, of which I am the lead sponsor, along with Congressman Dutch Ruppersberger (D-Md.), does not purport to solve every one of the United States' challenges in the cyber arena, but it is an important first step toward helping this country's private sector better defend itself.
For starters, MacKinnon's claim that CISPA is about surveillance and her discussions of unrelated laws and policy debates obscure the real debate about protecting the nation while maintaining citizens' privacy and civil liberties. What CISPA is truly meant to do is eliminate unnecessary barriers to the sharing of cyberthreat information without sacrificing any of the privacy rights that U.S. citizens cherish. It does so by authorizing robust cyberthreat information sharing within the private sector and, on a purely voluntary basis, with the government.
Moreover, contrary to the unsupported claims in MacKinnon's essay, CISPA provides strong protections for privacy by clearly setting out the extremely narrow range of information that can be shared under the bill's authorities. The bill's definitions clearly state that only information "directly pertaining" to cyberthreats can be shared.
What does that mean in practice? Only information such as tactics used by a Chinese hacker, samples of malicious code used in the attack, or the Internet address in China from which an attack originated would be authorized to be shared. Sharing any information not directly pertaining to a cyberthreat, such as e-mail content or other personal information of U.S. citizens unrelated to such threats, is not authorized by the bill.
Protections do not stop there. The bill prohibits the government from requiring the private sector to provide information. It also contains a provision that explicitly prohibits any government entity from forcing private firms to give up information by threatening to withhold intelligence. To the contrary, the bill encourages the private sector to "anonymize" or "minimize" the information it voluntarily shares with the government and overtly authorizes the government to create reasonable procedures to protect privacy and civil liberties. And, perhaps most important, the bill also puts in place strict restrictions on the government's use, retention, and searching of any data voluntarily offered by the private sector to the government.
And these protections are enforceable. CISPA would allow individuals to sue the federal government for damages, costs, and attorney's fees in federal court for any violations of these customized privacy protections. The bill also ensures strong public and congressional oversight by requiring the independent inspector general of the intelligence community to conduct a detailed annual review of the government's use of any information voluntarily shared by the private sector and by requiring the inspector general to provide an unclassified report to Congress, specifically including recommendations to better protect privacy and civil liberties.
To be sure, MacKinnon echoes the Obama administration's criticism of our bill. Unfortunately, those criticisms, which her essay simply repeats, addressed an earlier version of the legislation and does not account for the amendments made on the House of Representatives floor with my support and the support of nearly every member of the House. Indeed, these amendments provide many of the very privacy and civil liberties protections described above. MacKinnon's essay also fails to note that much of the Obama administration's critique was directed at the bill's lack of regulation of critical infrastructure, an issue completely out of my committee's jurisdiction and therefore not addressed by this particular legislation.
Finally, the bill, should the Senate pass it and the president sign it, would sunset in five years, permitting Congress to review carefully the use of the authorities provided under the legislation and determine whether it should be extended or modified.
The bill was the product of a completely open and transparent process that involved over a year's worth of careful consultations with a broad range of private-sector companies, trade groups, privacy and civil liberties advocates, and the executive branch to ensure that we achieved the goal of improving cybersecurity without compromising privacy or civil liberties. I am proud to say that we achieved that goal and that a substantial bipartisan majority in the House of Representatives agrees. It is too bad that McKinnon repeats Internet myths, instead of relying on the text of the bill passed by the House itself.
MacKinnon concludes her essay, "So long as confusion reigns, there will be no successful global Internet agenda, only contradiction." Actually, confusion stems directly from myths like those perpetuated in MacKinnon's piece.
At the end of the day, the answer to protecting Internet freedom is fairly simple: We have to make the Internet a safe and trusted space for people to interact and share their views and ideas. Better cybersecurity -- housed in the private sector but strengthened by government information -- is key to achieving this goal. By allowing the private sector to expand its own cybersecurity efforts and employ classified information to protect systems and networks, CISPA will harness private-sector drive and innovation while keeping the government out of the business of monitoring and guarding private-sector networks. And there is nothing clunky about that; to the contrary, it is the right strategy for protecting our nation from this twenty-first-century threat.
MIKE ROGERS is a Republican Representative from Michigan and Chairman of the House Intelligence Committee.
Contrary to what Congressman Mike Rogers (D-Mich.) implies, I share his concern for the security of the United States' online networks. U.S. companies are indeed fighting off attacks, and better defenses are needed. At no point in my essay did I dismiss the seriousness of the problem. I am well aware of the facts presented by numerous security experts on the many ways in which the United States' digital networks have come under siege by cybercriminals and under daily assault by hackers in league with various foreign governments.
My article offered an overview and a critique of the Obama administration's global Internet freedom policy. My core argument was that "Internet freedom" as a policy goal will be severely diminished and discredited if the United States does not do more to counter surveillance technologies and practices that are ripe for abuse, even in democracies. I cited the Cyber Intelligence Sharing and Protection Act of 2011 (CISPA) as one of many examples of that concern -- one that has been raised by a range of U.S. citizens.
Internet freedom is not possible without freedom from fear, and users will not be free from fear unless they are sufficiently protected from online theft and attack. That is why consumers and voters must demand that companies and governments take security seriously. My point was not that cybersecurity information sharing undermines Internet freedom, but that the pursuit of cybersecurity must not destroy users' right to another kind of security -- security from unreasonable search and seizure as guaranteed by the Fourth Amendment.
The remedies proposed within CISPA -- even as currently amended -- lack sufficient safeguards for citizens' civil liberties. Rogers points out that the bill received bipartisan support, but readers should also be informed that the bill faced strong bipartisan opposition as well -- 168 members of the House of Representatives voted against it.
Outside of Congress, opponents of CISPA spanned the political spectrum. Consider the diversity of those involved: the American Civil Liberties Union, the Center for Democracy and Technology, the Electronic Frontier Foundation, the Consumer Federation of America, the American Library Association, FreedomWorks, Americans for Limited Government, the Liberty Coalition, and the American Conservative Union. Many of these groups' concerns were not allayed by the bill's 11th-hour amendments. Some, such as the Center for Democracy and Technology, worked with Rogers' Intelligence Committee to the very end in hopes of improving CISPA, recognizing that the legislation's core goal is worthy of support. Some of the amendments did represent meaningful improvements.
In the end, however, the Intelligence Committee issued a rule excluding amendments that would have fixed the two major problems with the bill. First, the legislation empowers the private sector to share information not only with civilian agencies but also with the National Security Agency and other parts of the Department of Defense. Although the NSA has been engaged in warrantless wiretapping of civilian networks for some time, this is considered by many U.S. citizens across the political spectrum to be a clear violation of civil liberties. CISPA would further legitimize military access to domestic civilian networks in violation of a long-standing value that the U.S. military must not operate on U.S. soil against its citizens. Second, the bill still allows the government to use information shared by the private sector for national security purposes unrelated to cybersecurity, such as law enforcement and intelligence.
Rogers implies that my opinions were formed by reading tweets, not the bill. In fact, I have read it. And I stand with many others who have also read the bill and have reached the same conclusion as I have: CISPA does not go far enough in protecting civil liberties.
Americans are constantly struggling -- and fiercely disagreeing -- over the acceptable balance between security and liberty. That is what distinguishes us from authoritarian countries such as China, where the government does what it deems necessary to preserve its power in the name of public safety and national security. In seeking to defend the United States from Chinese hackers, however, U.S. citizens must not allow Congress to make their Internet just a little bit more like the People's Republic.