Last night the House of Representatives passed HR 3523, the Cyber Intelligence Sharing and Protection Act, or CISPA. We鈥檝e written about the many privacy problems with this bill, but here I would like to focus on one of its biggest and most fundamental flaws: it empowers the military, including agencies like the NSA, to collect the internet records of Americans鈥 everyday internet use.
It is a long-established principle that the military is not permitted to spy on Americans . Authorizing the NSA to turn its powerful eavesdropping apparatus on Americans would pose a significant threat to our privacy and a major departure from our values. Even in the wake of the September 11 attacks and the many rewrites of our surveillance laws over the last decade, Congress has never turned the NSA loose on the internet without even minimal court and congressional oversight. Yet, that鈥檚 exactly what the House has now passed.
While we have some bones to pick with the Obama administration over privacy issues, they have been strongly supporting the principle of keeping domestic cybersecurity programs in civilian hands. Although Congress seems intent on ignoring it, the Administration has consistently sent this message to Congress over the last year:
鈥HS Secretary Napolitano before the Senate Committee on Homeland Security and Government Affairs that the that designates a civilian government agency such as DHS as the lead agency in the government鈥檚 cybersecurity efforts.
鈥he administration transferred a program called the (under which the federal government shares classified signatures and other cybersecurity information with defense contractors) out of the Pentagon and into DHS. In February 2012, Secretary Napolitano told Congress that the Administration transferred control of the DBI Pilot to DHS because as a civilian agency, existing laws and authorities make DHS better situated to coordinate this type of information sharing program with the private sector. If a civilian agency is best suited to administer program focused on sharing classified data with defense contractors that build military weapons systems, then it is certainly best suited to coordinate the cybersecurity and information sharing efforts of the federal government on domestic, civilian networks.
鈥hen the White House wrote its own cybersecurity bill last year, it made the Department of Homeland Security the lead agency to coordinate government cybersecurity and related information sharing efforts. This proposal was the result of an extensive interagency process. Of course, this would not prevent DHS from relying on NSA expertise; they have long done so and DHS already has access to the cybersecurity capabilities and assistance that the NSA can provide, pursuant to a that both agencies signed in 2010. Under this agreement, the NSA is authorized to provide DHS any assistance or access to its capabilities that DHS requires in order to carry out its cybersecurity responsibilities.
鈥erhaps most signficantly, the administration cited the principle of civilian control in issuing its veto threat Wednesday over CISPA . The administration that 鈥淗.R. 3523 effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres.鈥
Any claims that DHS or other civilian agencies aren鈥檛 capable of handling cybersecurity are belied by comments to the contrary by officials from within the military establishment itself. Current and former high-ranking officials from the Department of Defense have stated publicly that DHS, and not DoD, should be the lead agency directing government cybersecurity efforts.
For example, Eric Rosenbach, deputy assistant secretary of Defense for Cyber Policy in the Department of Defense, said at the annual RSA Security Conference in February, that should be responsible for securing the domestic, civilian internet. 鈥淚t鈥檚 almost certainly not the right approach for the United States of America to have a foreign intelligence focus on domestic networks, doing something that throughout history has been a domestic function,鈥 he said. 鈥淏ut that doesn鈥檛 mean that DoD and NSA don鈥檛 play in the game,鈥 he added. 鈥淲e鈥檙e more the supporting effort.鈥 And even , who has been an outspoken proponent for appointing the NSA as the government鈥檚 lead agency for cybersecurity, has acknowledged that the NSA could assist in the cybersecurity effort under DHS leadership.
Sadly, the House Rules Committee did not permit a vote on amendments offered by Rep. Jan Schakowsky and Rep. Bennie Thompson that would have ensured that domestic cyber information collection be housed civilian agencies. To prevent the NSA from collecting our internet records in the name of cybersecurity, the only thing left for Congress to do is say 鈥榥o鈥 to CISPA.