A proposal for combating cyberattacks is getting plenty of support in the U.S. Congress and the private sector — and plenty of opposition from critics who say it threatens privacy rights.
The proposal by Rep. Mike Rogers, R-Mich., chairman of the U.S. House Intelligence Committee, would encourage the intelligence community and the private sector to share certain information to better protect computer networks from cyber-threats.
Under Rogers' bill, the Cyber Intelligence Sharing and Protection Act (CISPA), private companies and the government could share any information "directly pertaining to a vulnerability of, or threat to" a computer network. Currently, the government can't share classified intelligence on cyber-threats with the private sector.
The bill is one of several measures being considered by Congress following high-profile attacks targeting Google and the NASDAQ stock exchange. It passed the Intelligence Committee 17-1 in December and likely will be heard on the House floor later this month.
The bill is supported by 30 companies, including Facebook and Microsoft.
"The broad base of support for this bill shows that Congress recognizes the urgent need to help our private sector better defend itself from these invidious attacks," Rogers said in a statement last month. He said the bill would not increase federal spending or create a new government bureaucracy.
But the American Civil Liberties Union and the Center for Democracy and Technology say the bill lacks explicit privacy protections and doesn't specifically define what information companies should share with the government.
They also say the bill wouldn't require companies to strip shared information of details that could be used to identify specific people.
"What we're fundamentally deciding here is whether to blow a hole through all of our privacy laws and allow companies to turn over very sensitive information to the government," ACLU legal counsel Michelle Robertson said. "It's a threshold question -- what will they turn over?"
On April 8, the Internet collective known as Anonymous claimed responsibility for denial-of-service attacks targeting the websites of two groups that support Rogers' bill, USTelecom and Tech America. In a YouTube video, Anonymous compared the bill to the controversial Stop Online Privacy Act in its potential to harm Internet users.
During a conference call April 10, Rogers said "there is no comparison" between his bill and the Stop Online Privacy Act because his bill would not allow the government to censor information, shut down websites or monitor people.
The bill's supporters said they're working on modifying it to resolve some of the issues raised by critics.
The bill is designed to help prevent computer networks that help maintain critical infrastructure and to prevent economic espionage, which sponsors of the bill say results in $2 billion to $400 billion in losses every year.
"Intelligence sharing is the only way we're going to be able to protect the private sector," said Rep. C.A. Dutch Ruppersberger, R-Md., the bill's co-sponsor.
Cyber-attacks by China and other countries are one of the nation's "most rapidly-evolving and most serious set of threats," Homeland Security Secretary Janet Napolitano said recently.
Homeland Security officials responded to 106,000 such attacks last year and have increased their cybersecurity personnel by 500 percent in the past several years, Napolitano said.
Cyber-attacks threaten critical infrastructure and human lives, and could cause "massive economic damage or massive displacement of persons, or massive interference with national security," Napolitano said.
Rogers said his bill targets malicious code, not user content. He also said the bill would protect privacy by encouraging private companies to strip personal information from data shared with the government.
Greg Nojeim, senior counsel at the Center for Democracy and Technology, said that protection is "toothless" because it's voluntary and "not enforceable by the users whose data can be shared."
Critics have also warned that the bill would increase military control over domestic cybersecurity information. The bill would allow the National Security Agency and other government agencies to warn Internet service providers about detected cyber-threats.
"Information is power, and NSA wants more of it," Nojeim wrote in a recent CDT article.
Rogers said he may amend his bill to make the Homeland Security Department responsible for verifying that the government and private companies share information related to cyber-security and nothing else.