CISPA revision allows DHS Internet 'countermeasures'
A proposed addition to a controversial surveillance bill authorizes Homeland Security Secretary Janet Napolitano to "intercept" a large portion of Web and e-mail communications and "deploy countermeasures" against Internet-based adversaries.
Rep. Sheila Jackson Lee, a Texas Democrat, today proposed amending CISPA to give Napolitano broad authority -- so broad it trumps every existing privacy and surveillance law -- to monitor all government networks, even ones operated by the FBI, White House, and the State Department. CISPA stands for the Cyber Intelligence Sharing and Protection Act.
Napolitano would be authorized to "acquire, intercept, retain," and "use" data that transit networks owned by the federal government or operated on its behalf by a carrier such as Verizon, Qwest, and AT&T. Homeland Security could do that if it claims the surveillance would ward off "cybersecurity threats"; the amendment includes the same phrase "notwithstanding any other provision of law" that made CISPA so unloved by nearly 800,000 Internet users.
Jackson Lee's amendment (PDF) is broad enough to sweep in government contractors and university networks such as Internet2 and CENIC, said a telecommunications attorney who did not want to be identified because of client sensitivity. It also appears to cover open Wi-Fi networks run by federal agencies and networks in government-provided housing.
The proposed surveillance system resembles a more muscular version of the Einstein monitoring project that DHS has championed for the last several years. In 2010, Napolitano said"we need the legal tools to do things like monitor the recruitment of terrorists via the Internet." Last month, she asked a congressional committee for $345 million to fund the latest version of Einstein, also known as the National Cybersecurity Protection System.
Jackson Lee's amendment will be proposed during the House floor debate on CISPA that's scheduled to begin on Thursday, with a vote scheduled on Friday. CISPA foes have been scrambling to rally opposition in the week leading up to the vote, with Republican presidential candidate Ron Paul yesterday likening the measure to "Big Brother writ large" and 18 House Democrats expressing privacy concerns in a letter (PDF) of their own.
The Secretary of Homeland Security is authorized, notwithstanding any other provision of law, to acquire, intercept, retain, use, and disclose communications and other system traffic that are transiting to or from or stored on Federal systems and to deploy countermeasures with regard to such communications and system traffic for cybersecurity purposes provided that the Secretary certifies that such acquisitions, interceptions, and countermeasures are reasonable [sic] necessary for the purpose of protection Federal systems from cybersecurity threats...
The Secretary may enter into contracts or other agreements, or otherwise request and obtain the assistance of, private entities that provide electronic communication or cybersecurity services to acquire, intercept, retain, use, and disclose communications and other system traffic...
What sparked the privacy worries -- including opposition from the Electronic Frontier Foundation, the American Library Association, the ACLU, and the Republican Liberty Caucus -- is the section of CISPA that says "notwithstanding any other provision of law," companies may share information with the government. By including the word "notwithstanding," CISPA's drafters intended to make their legislation trump all existing federal and state civil and criminal laws. (For their part, they claim it's necessary to deal with threats from China and Russia and that it "protects privacy by prohibiting the government from requiring private sector entities to provide information.")
Jackson Lee did not respond to requests from CNET this afternoon. But her amendment is similar to a White House proposal from last year (PDF), while lacking some of the privacy-protecting language the administration had inserted.
"The problem is that it is like Einstein, but on steroids," Michelle Richardson, legislative counsel for the ACLU, told CNET. "Instead of having the private sector filter traffic [to] government Web sites for known or suspected signatures, they are just allowing DHS to do the tapping, filtering, and monitoring."
When asked whether the Jackson Lee amendment would allow Homeland Security to monitor the networks of federally charted schools such as Howard University and Galludet University, Richardson replied: "That's a good question. Arguably it would."
Ryan Radia, associate director of technology studies at the Competitive Enterprise Institute, a libertarian-leaning think tank that has criticized CISPA, suggested that it could also allow Homeland Security to monitor the communications of the federal courts and Congress, and intercept tax returns sent to the IRS. Radia added:
While it appears that Rep. Jackson Lee sought to include several safeguards to limit DHS from improperly using and collecting information that flows on federal networks, those safeguards are essentially toothless. Under her amendment, the Secretary of Homeland Security need only "certif[y]" that the collection or interception of information by DHS complies with the various safeguards and limitations. But the Secretary of Homeland Security has the sole discretion to interpret the language of the safeguards as she sees fit. It appears that no judge or legislator can second-guess a Secretary's "certification" that a particular DHS information use accords with the bill's safeguards.
(You may remember Jackson Lee, named the "meanest" member of Congress by Washingtonian magazine, from the House debate over the Stop Online Piracy Act in December. She interrupted the discussion to demand an apology after a Republican tweeted that she had been boring him.)
Another section of Jackson Lee's amendment authorizes Napolitano to "obtain the assistance of private entities that provide electronic communication or cybersecurity services to acquire, intercept, retain, use, and disclose communications and other system traffic" if the purpose is to help "deploy countermeasures" -- which would appear to sweep in not only carriers, but other tech companies including Apple, Yahoo, Facebook, McAfee, and so on. "Cybersecurity services" is defined broadly as providing services that block "efforts to gain unauthorized access to a system."