Cybersecurity has come to the fore with the rise of illicit attempts to compromise the Internet-based data and communications systems of private companies and governments around the globe. Although some hack jobs seem to be innocuous pranks, like altering a high school's attendance records, serious electronic breaches have threatened the security of major organizations. Some recent examples include the hacking of email marketing provider Epsilon, the Sony PlayStation Network, and NASA's Jet Propulsion Laboratory.
Developing appropriate responses to cybersecurity threats has become urgent. Yet in this country, key legislative initiatives to address the problem in a centralized manner have so far been awkward and controversial.
The United States deals with cybersecurity issues in a number of ways. The Computer Fraud and Abuse Act (CFAA) (18 U.S.C. § 1030) provides an avenue of legal redress for federal offenses perpetrated through a computer. The 2003 National Strategy to Secure Cyberspace guides the cybersecurity efforts of the Department of Defense, while the National Information Infrastructure Protection Act of 1996 (Pub. L. No. 104-294, which amended the CFAA) makes denial-of-service attacks illegal and punishable by up to ten years of imprisonment. The Patriot Act (Pub. L, No. 107-56) includes provisions allowing the FBI to investigate cybersecurity offenses and enabling the U.S. attorney general to take legal action.
Now Congress is feeling pressure to pass comprehensive legislation addressing all of these problems, particularly in light of national media attention on cybersecurity breaches by Wikileaks, and more recently the actions of Anonymous. So, besides addressing concerns over data privacy and intellectual property, new legislation must enable our regulatory bodies and legal infrastructure to provide protection from intruding persons and organizations that are transnational and non-state actors.
Attempts at policing virtual space have so far been meager. The federal legislation known as the Secure It Act (HR 4263) aimed to advance self-regulatory efforts on the part of companies to combat cybersecurity threats. A separate measure, the Stop Online Piracy Act (SOPA) (HR 3261), focused on Internet piracy, a topic that's been mired in legislative muck since the late 1990s. SOPA would have expanded the ability of U.S. law enforcement agencies to fight online trafficking of copyrighted intellectual property and counterfeit goods. The act would have allowed companies to obtain court orders barring advertising networks and payment facilities from conducting business with infringing websites, preventing search engines from linking to those sites, and requiring Internet service providers to block access to the sites.
Proponents said SOPA would protect the intellectual property market and corresponding industries' revenue, and it would bolster the enforcement of copyright laws, especially against foreign websites. Existing laws, they argued, did not cover foreign-owned and operated sites. Opponents countered that the bill would kill free speech and innovation by enabling law enforcement to block access to entire domains because of infringing content posted on a single blog or Web page. Computer scientist Vinton Cerf, one of the founders of the Internet, noted, "Requiring search engines to delete a domain name begins a worldwide arms race of unprecedented 'censorship' of the Web." Others argued that The Digital Millennium Copyright Act (DMCA) (Pub. L. No. 105-304) already lets copyright owners request that infringing material be taken down (see 17 U.S.C. § 512 (c)(3)), rendering SOPA unnecessary. Companies such as YouTube regularly remove infringing videos from their sites through the DMCA.
The Internet community rallied against SOPA, and online activism, or "hacktivism," around the legislation led to its downfall. On January 18, 2012, the English Wikipedia, along with Reddit, Craigslist, and an estimated 7,000 other sites "blacked out," and another 150,000 sites participated in some form of protest. Also, a rally was held in New York City. Still, there were petition drives and boycotts of companies supporting the legislation. But within two days, SOPA was shelved indefinitely.
The sweeping nature of these provisions has created plenty of controversy, and major opposition to the bill primarily concerns its overbreadth. The bill authorizes collection and use of cyber information for five express purposes: overall cybersecurity; investigating and prosecuting cybersecurity crimes; protecting individuals from death or physical injury; protecting minors from physical or psychological harm; and protecting the national security of the United States. Opponents of CISPA fear that these "express" purposes may be construed broadly, and thus grant the government the right to collect private data without typical Fourth Amendment protections.
CISPA passed the U.S. House of Representatives last April, but in August the Senate rejected the proposed law by a vote of 52-46. New cybersecurity legislation seems unlikely, at least in 2012. Moving ahead into the new year, the results of the election may dictate whether the White House will take a greater role in cybersecurity or leave it to Congress to tackle this issue once again.
Christina M. Gagnier is the managing partner of Gagnier Margossian's digital strategy consultancy and leads its IP and Technology law practice in San Francisco.