House intel comittee says CISPA will not allow businesses to go on cyber offensives

We’ve heard plenty of civil liberties advocates object to the Cybersecurity Intelligence Sharing and Protection Act (CISPA), claiming the bill harms privacy rights. However, one group opposed to the act argues that it actually allows businesses to commit the very behavior it aims to curb — that is, it allows them to hack the computers of anyone they believe is hacking them.

"CISPA says that a company gets immunity for any decisions made based on cyber-threat information that they receive under the bill and based on cyber-threat information that they identify and obtain using cybersecurity systems," Greg Nojeim of the Center for Democracy and Technology told reporters in Washington this morning.

This is where Nojeim worries that the bill could permit an increase in hacking.

"What if one’s decision in response to the receipt of cyber-threat information from someone you think is a bad guy is to render the sending computer inoperative?" asked Nojeim. "That’s certainly within the scope of the legislation and would be completely immunized."

As Nojeim and his colleagues at CDT read it, CISPA could allow businesses that think they had discovered a hacker to hit back or, hack back, against malicious actors in cyberspace  — an action frequently referred to as active defense. (Yours truly has heard this topic debated plenty of times between lawyers who are against it and businesses who want to be able to defend themselves aggressively in cyberspace.)

CDT wants the bill’s language tweaked to prohibit this behavior.

"What the bill does not say is, in looking for cyber threat information you can examine only your own network," said Nojeim. "If you think the cyber threat information is on somebody else’s computer or on somebody else’s network, you have authority, notwithstanding any law, to go get it . . . and immunity when you do." 

Killer Apps reached out to one of the bill’s sponsors, House intelligence committee chairman Mike Rogers, and one of his committee staffers told us that authorizing companies to strike back at hackers "was not the chairman’s intent." Rogers "intends to address this issue in committee markup" by adding language specifying that the bill does not authorize businesses to break into other people’s networks. 

Rogers and the bill’s co-sponsor, Rep. Dutch Ruppersburger, have insisted that they are working with the White House, privacy advocates, and businesses to address their concerns.

"We want to make sure that we meet the level of privacy concerns, and we think we can do that by working in some very direct language that expresses, in language, what we believe the bill already does but we want to reiterate that," said Rogers last week when announcing that the bill will come up for a committee vote this month.

As it’s currently written, the bill specifically says that businesses can receive immunity from prosecution "for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or for decisions made based on cyber threat information identified, obtained or shared under this section."

"That authorizes hacking that would otherwise be a crime under current law, it authorizes cybersecurity criminal acts that are described in this very bill," he added. "The last place one would think you would find new authority to hack would be in cybersecurity legislation, but there it is."

Here’s what Rogers said in December when asked how he felt about private entities fighting back against hackers.

"It’s best not to go punch your neighbor in the face before you hit the weight room," said Rogers, in a warning to both public and private sector actors that are considering offensive actions to defend their networks under the growing trend of "active defense."

Government organizations and businesses are still figuring out the best way to defend themselves from advanced cyber threats. But, said Rogers, "until we have figured out how we will defend ourselves and our networks, I would be very, very, very cautious about using an offensive capability."

The lawmaker, speaking at an event at The George Washington University, added: "Now, you can’t do a good defense if you don’t develop the capability for offense…so I completely agree with [building offensive power]. I’m just very concerned about engaging [in offense] before we have the ability to defend ourselves because, guess what, something’s coming back" to hit us.