George Gershwin, CISPA, and the President’s Veto Threat

This White House sure knows how to snatch defeat from the jaws of victory.

The President’s threat to veto CISPA (Download Cyber – S A P ) will likely kill cybersecurity legislation for the year.

Here’s the sentence that I believe will eat away at support for the legislation among its last defenders in Silicon Valley:  “The Administration … remains concerned that the bill does not require private entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private sector entities.”

Those last four words signal a big change in the status quo.  Most companies today can share information voluntarily with the government without legal constraint, though electronic service providers must demand a subpoena before sharing information. And practically all companies, including electronic service providers, may share cybersecurity information with other private companies without worrying that the government is looking over their shoulders.

So in demanding that CISPA limit sharing with “other private sector entities,” the Administration is proposing a sweeping new regulatory scheme for the private sector. The scheme will actually impair cybersecurity by restricting the information-sharing companies now conduct to protect their networks.

And while the Statement of Administration Position tries to make the new regulatory scheme sound less harsh by claiming that it only requires “reasonable” steps to remove “irrelevant” private information, those words are code for “You’ll need a lawyer before you share any cybersecurity information with anyone.”  After all, reasonableness is a famously elastic concept in the law; you only really know whether your actions were reasonable five years after the fact, when the judge rules. 

And what is “irrelevant personal data” exactly?  Can an ISP identify the IP address of the computers sending DDOS packets toward a victim?  Much of the time an IP address is personal — it identifies an individual, or at least a family.  So is it “relevant” under the Administration’s new proposal?  Maybe. Stopping a DDOS attack is often easier if the victim knows the attackers’ IP addresses, but does the ISP have to verify that the IP address will actually help the victim stop the attack before handing it over? Will these quick decisions all be second-guessed at leisure by some privacy bureaucrat?   

I say security, you say liability. Let’s call the whole thing off. 

It’s hard to imagine any company supporting a bill that turns today’s largely functional and scandal-free cybersecurity information exchanges into minefields of uncertainty.  And in the absence of industry support, CISPA will be SOPA without Hollywood.

What’s remarkable is that the President started this debate by asking for almost exactly what the House Intelligence Committee has delivered.  Here is the Administration’s original legislative proposal on information sharing. On a quick review, I don’t see any limitations in the President’s proposal on what data the private sector can share — only limitations on what the government can do with the information it receives. Now that it comes to that, I don’t see a lot of the things that the President is suddenly highlighting as fatal flaws in CISPA.

So the short version of this story is simple:  The President says he will veto CISPA because it lacks features that he didn’t even bother to include in his own version of the same bill. 

This is some of the flakiest policy making I’ve ever seen at such a high level, and it strongly suggests that the Administration just isn’t that serious about information sharing for cybersecurity.

PHOTO: Donovan Govan

NOTE:  For those who complained that Steve McQueen was an anachronistic cultural reference, please note that I have taken your advice to heart and am now appealing to an entirely different generation.