Yes, CISPA Could Allow Companies to Filter or Block Internet Traffic
Rep. Rogers is adamant that CISPA, the Cybersecurity Intelligence Sharing and Protection Act, is cybersecurity legislation intended to help protect critical infrastructure intrusions and private and government information. But as we've written in the past, CISPA is a bill that allows for companies to spy on users, pass along the information to government agencies like the NSA, and potentially filter or block Internet traffic, which could serve as justification for action against sites like Wikileaks. That's why we're calling on users to contact Congress to speak out against this bill.
One of the scariest parts of CISPA is that the bill goes above and beyond information sharing. Its definitions allow for countermeasures to be taken by private entities, and we think these provisions are ripe for abuse. Indeed, the bill defines "cybersecurity purpose" as any threat related to safeguarding or protecting a network. As long as companies act in "good faith" to combat such a cybersecurity threat, they have leeway to protect against “efforts to degrade, disrupt, or destroy [a] system or network.” This opens the door for ISPs and other companies to perform aggressive countermeasures like dropping or altering packets, so long as this is used as part of a scheme to identify cybersecurity threats. These countermeasures could put free speech in peril, and jeopardize the ordinary functioning of the Internet. This could also mean blocking websites, or disrupting privacy-enhancing technologies such as Tor. These countermeasures could even serve as a back door to enact policies unrelated to cybersecurity, such as disrupting p2p traffic.
The Cato Institute warned that one could imagine: "a sysadmin with a vigilante streak reading ['cybersecurity systems'] to include aggressive countermeasures, like spyware targeting suspected attackers." Their analysis continued, "After all, 'notwithstanding any other provision of law' includes provisions of (say) the Computer Fraud and Abuse Act that would place such tactics out of bounds." We think that a rogue sysadmin is not the only concern—no matter what the intention of the bill is now, as political realities change this language can be used to justify the sort of aggressive countermeasures that we've described, or more. This could happen not just in unusual circumstances, but as a matter of policy.
The defense of networks is one reason why the Heritage Foundation is backing the bills. In a letter of support (PDF), Heritage discussed how CISPA gives private entities "clear legal authority to defend their own networks." While we think private entities should be able to defend their networks, they should not be able to do without accountability in a manner that threatens free speech or disrupts the Internet.
CISPA is intended to protect against catastrophic cyberattacks and economic espionage, but the broad definitions of CISPA unfortunately allow for much more. Contrary to what Rep. Rogers says, CISPA is not "a sharing of threat information bill only." CISPA's language is so vaguely defined that it could allow private companies to take a wide range of actions in order to defend their networks. While some of these actions might be perfectly appropriate, others could have disastrous consequences for our civil liberties.