latest updates from easySERVICE™
President Obama signed into law a cybersecurity executive order at the same time CISPA was reintroduced into the House.
Obama’s cybersecurity executive order set up the foundations in which a “framework” can be constructed between the government and private sector industries, albeit without the vast majority of the privacy complications that CISPA has.
The “framework” will allow intelligence to be gathered from the aftermath of cyberattacks and cyberthreats to privately owned critical national infrastructure — such as the private defense sector, utility networks (like gas and electric companies), and the banking industry — so they can better protect themselves and the wider US population.
While the executive order does touch on intelligence sharing between the US government and private firms, it doesn’t undo years of privacy law-making work that continues to protect the US population. The White House even garnered support from the American Civil Liberties Union (ACLU) on the order. The order opened a path for wider consultation and discussion that could, however, change in due time.
How does this differ from SOPA or PIPA?
There are two major differences: SOPA and PIPA acted against foreign alleged copyright infringers, while CISPA is a domestically focused cybersecurity Bill.
The House and the Senate introduced the Stop Online Piracy Act (SOPA) and the Protect IP Act (PIPA) respectively. Both primarily targeted non-US websites and networks, allowing the US attorney general to seek a court order that would see such allegedly copyright and intellectual property infringing sites shut down and seemingly disappear from the web.
However, CISPA focuses all but entirely on those within US borders — including US citizens and legal (and illegal) residents — rather than foreign citizens or non-US companies. While the US government cannot collect data from any private firm it likes — the firm must agree to it — CISPA has a greater impact on those within US borders, rather than non-US residents.
Does CISPA affect non-US citizens, such as those who live in the EU?
Potentially, yes, although not directly. Many smaller companies do not have local EU-based datacenters. Microsoft, Google, and Facebook, for instance, do have non-US datacenters for local users, but many do not have the capacity of the funding to do so. This means that non-US resident data may be stored directly by a US company.
What can the US government do with user data acquired under CISPA by private firms?
Anything they like with it, so long as it’s lawful and pertains to “cybersecurity purposes”, rather than “national security” purposes. But because the language is so ill defined, it could be used for many more reasons than were initially considered.
The data will be handed to a central location within the US Department of Homeland Security (DHS) by the private firm, which can then be disseminated throughout government — including other US law enforcement and intelligence agencies.
Techdirt recently published a list of government agencies that can acquire your data under CISPA, which amounts to around 600 departments.
Source: Associated Press