On Feb. 13, Rep. Mike Rogers (R-MI) introduced the Cyber Intelligence Sharing and Protection Act (CISPA) in the House of Representatives – again.
The legislation, which failed last year in the Senate, would amend the National Security Act of 1947 to allow the exchange of electronic information about citizens between government intelligence agencies and the private corporations that make up the nation’s critical infrastructure. Included in this latter category are banks, pharmaceuticals, energy corporations and utilities.The Business Roundtable, an association of the CEOs who run private corporations with combined annual revenues of $7.3 trillion, endorsed the proposed law in a document released this past January, so the heavy hitters were lining up behind the proposition even before it existed.
Since 9/11, Americans have grown accustomed to relinquishing our civil rights whenever the government claims that national security is at stake. It’s curious, though, that even as the 2001 attacks recede in time, and a weakened Al Qaeda can no longer operate internationally, the government continues to encroach on our right to privacy. The broadening insistence on widespread surveillance is justified by proliferating enemies such as Hezbollah, the governments of China and Iran, transnational organized crime, hackers and hacktivists, spammers, phishers and general terrorists. The fact is that we are no longer sure whom we should fear – or why. Yet we are expected to permit the government and private corporations to examine our private lives without limit.
You cannot imagine what it is like to have the government scrutinizing your every action until it has happened to you. We can learn, though, from the experience of those who have already been on the receiving end of this whistleblowers who have disclosed gross waste, potential fraud and serious misconduct at the National Security Agency (NSA) and the Central Intelligence Agency (CIA), for example. After they became whistleblowers, the government monitored their every digital move: every credit card transaction, Internet site visit, phone call and e-mail fed the insatiable maw of the State. But at the very least, the surveillance agencies had to have a warrant.
For organizations working for accountability in government and corporate institutions, it is therefore important to know how serious the cyber security problem really is before completely relinquishing the efficacy of the fourth amendment (freedom from unreasonable search and seizure). The proliferating number of existential cyber-threats presented to us by government and the BRT suggests, in itself, a certain hysteria. Similarly, a Bloomberg Government study, excerpted on the web, presents a terrifying prospect of cyber invasion. The deep, urgent voice-over, is accompanied by a video with high-tech graphics and an ominous beating drum. At one point, the graph onscreen morphs from a stock market crash to a vital signs monitor and threatens “catastrophic loss of life” as the graphic flat-lines and the beep that presumably represents a heartbeat becomes a dead, droning monotone instead. This will be, of course, the consequence of imminent cyber threats.
In contrast to the video, however, the prose report, which is behind a paywall and was published in January 2012, shows how confused and confusing the data about cyber-threats really are. The financial institutions in the study, for example, estimated that the sector as a whole already detects 89 percent of the cyber attacks presumably experienced in 2010. Of these, 51 percent were false alarms. Those percentages were roughly constant across the health care, energy, and communications industries.
Two points are relevant about this study. First, the numbers are perceptions and guesses. The respondents cannot possibly know how many attacks they’re not detecting. Secondly, in social science, typically, when 51 percent of the data points in a given data set are false, the proposition in question is junk.
Despite the fuzzy numbers, the Business Roundtable is plugging CISPA hard because the new law would remove “legal barriers” now preventing the “bidirectional sharing of information between public and private sectors.” In other words, privacy protections would be gone under CISPA. Corporations that turn their consumers’ information over to government intelligence agencies could not be sued for doing so. Nor could citizens prevent the government from supplying private corporations with personal information. And more importantly, under CISPA, these data exchanges would take place beyond the reach of the Freedom of Information Act, so that even if we suspect our personal information is under examination, we would have no right even to ask whether this is, in fact, true.
CISPA, then, which promotes government and corporate secrecy while reducing individual privacy, turns democracy on its head. In a democratic political system, the rights of individual citizens (and groups of citizens) must always be weighed heavily when they conflict with the demands of the government. Although this balance may shift in wartime to protect the security of the nation as a whole, it is far from clear that 2013 represents wartime in any meaningful sense. It is important in the United States that the privacy rights of citizens take precedence over government secrecy unless or until there is a compelling reason to shift the balance. Right now, there is not.
Bea Edwards is Executive Director for the Government Accountability Project, the nation’s leadingwhistleblower protection and advocacy organization.