A Defense Science Board report made public last week contained shocking allegations about the extent of Chinese military hacking of American defense technologies. Though China's government denies it — huffily insisting that it has no need for American military technology — the report disclosed that Chinese cyberattacks had yielded data from dozens of weapons systems, including missile defenses and the F-35 Joint Strike Fighter. That comes on top of reports that Chinese hackers had successfully infiltrated the computer systems of a wide variety of U.S. corporations, think tanks and media outlets. Hacking is now at the top of the agenda for President Barack Obama's summit this month with new Chinese President Xi Jinping.
China is, of course, not the only source of cyberthreats. They come, too, from Russia, Iran and elsewhere, including domestic hackers. Congress has long been aware of the problem and has sought for at least the last two years to pass legislation that would facilitate information sharing and cooperation between private corporations and the government. Maryland's Rep. Dutch Ruppersberger, who is the ranking Democrat on the House Intelligence Committee, has been in the middle of the effort, along with Republican Rep. Mike Rogers of Michigan, who chairs the committee. Their bill, the Cyber Intelligence Sharing Protection Act, or CISPA, passed the House in April on a bipartisan vote, 288-187.
But it is going nowhere in the Senate, and for good reason. Although this year's version of CISPA is an improvement in some respects, it still trades away too much privacy in the name of security. President Obama has threatened to veto it if it reaches his desk in its current form, and Sen. Dianne Feinstein, a California Democrat, is working on her own version of a cybersecurity bill along with some Republicans. She doesn't need to throw out the framework of CISPA entirely but should refashion it so that it does not give the government unnecessary personal information and sets limits on what the government and corporations can do with the information they get.
The American Civil Liberties Union, the Electronic Frontier Foundation and others object to CISPA because it overrides existing privacy laws and Internet companies' individual privacy policies to allow corporations to give the government and each other information about potential cybersecurity threats. That could include users' email addresses, Internet use records, location data, contacts and emails, among other things. Such information is not generally necessary to determine the nature of a threat and combat it, but its dissemination opens the possibility for misuse.
Whatever law Congress passes should require that companies attempt, in as much as possible, to strip personal, identifying information out of the data they provide to the government and each other. To the extent that such information sharing occurs now, many companies follow that practice already.
The most recent version of CISPA at least sets limits on what companies can do with the personal data shared with them by other firms — barring, for example, commercial uses — but it does leave open the possibility that the information could be shared directly with military agencies, including the NSA, a chilling prospect given the government's history of domestic espionage in the name of national security. Some corporations, such as many defense contractors, already work directly with the military on cybersecurity, and that is appropriate, but it need not be and should not be the norm. A civilian agency should be the one to handle the data in most cases.
Finally, the Senate needs to reject the "hack-back" provisions in the House legislation. CISPA not only immunizes companies from liability for sharing information but also gives them broad protection for what they do in response to the information they share or receive. In particular, there is reason for concern that such protections could lead to cyber-vigilantism that could diminish the rule of law and lead to collateral damage to innocent Internet users. The Senate needs to eliminate any ambiguity about what is and is not allowed.
There is no question that the need for a response to growing cyber threats is urgent, but we should not create new and different threats to Internet users in the process. The Senate must put privacy protections at the center of its cybersecurity legislation. And if members of the House believe hacking is as clear and present a danger as they say, they should be willing to accept it.