The Cyber Intelligence Sharing and Protection Act (CISPA) is a proposed cybersecurity bill that passed the U.S. House of Representatives on April 26, 2012 as H.R. 3523, but stalled in the Senate later that year. It returned to the Congressional roster in 2013 as H.R. 624. CISPA would amend Title XI of the National Security Act of 1947 by adding a new section to the end called "Cyber Threat Intelligence and Information Sharing, Sec. 1104."
The aim of the new section is to allow and encourage agencies of the federal government, private-sector companies and utilities to share cyberthreat intelligence with each other in a timely manner in order to prevent disruption or harm to vital infrastructure due to attacks on the computer systems and networks of these entities. But the scope and language of the bill has proved quite controversial.
To supporters, the proposed legislation is a means to better enable information sharing to quickly counter cyberattacks before they disrupt critical services or damage the economy or national security, and to allow companies to both share information and take defensive measures without risk of lawsuits for their actions. To opponents, it's an overbroad and vague piece of legislation that allows sharing of personal information with no judicial oversight, harms individual privacy rights by sidestepping existing privacy laws and could invite abuses such as government surveillance of Internet activities.
Everyone agrees that we're vulnerable to cyberattacks, potentially from foreign powers, terrorists, criminals or others with ill intent, and that these attacks have the potential to disrupt essential services. The disagreements lie in whether this bill really solves the issue and whether it could do more harm than good.
Read on to find out more about the sorts of threats CISPA is meant to address, and the bill itself.
What sorts of threats is CISPA meant to protect against?
The vital infrastructure CISPA aims to protect includes services such as power, water and sewage, transportation, communications, financial networks and government agencies. Pretty much every company and every utility, as well as the government itself, is at least partially online these days, and anything hooked up to the Internet, from a lone computer to a huge network, is vulnerable to a debilitating attack.
The bill doesn't go into detail on types of attacks, but there are a few common ones: distributed denial of service (DDOS) attacks, where a large number of requests are sent to a company's servers, causing disruption of service to legitimate users; man-in-the-middle attacks, where communications from one server to another are intercepted and run through an attacker's server to spy or make harmful changes; and advanced persistent threats (APT), which are long-term targeted attacks on certain companies or other entities. Attackers may aim to install viruses, worms, spyware, trojans and other malware (malicious software) on target computers to wreak havoc or gain unauthorized access.
There are overt intrusion attempts from hackers, a la the movie "War Games," where the protagonist dialed right into company and government computer systems. Users and system administrators have ways to protect against direct attacks, such as software or hardware firewalls], anti-virus and anti-spyware software and improved login methods that include things like complicated passwords or multi-factor authentication.
Unfortunately, many systems are breached by attackers who use social engineering methods that trick unwitting individuals into providing login information or installing malware onto their own machines. Phishing is a common social engineering method where e-mails are sent out with file attachments containing malware, links to Web sites that look legitimate but aren't or requests for personal information. There's a more targeted version of this scam called spearphishing, where the attackers know something about their intended victims and can use that to make the e-mail sound legitimate.
Even the software that a user seeks themselves might include malware, as happened in a recent case where employees at Apple, Facebook and Microsoft (and presumably other companies) fell prey when they downloaded infected software from popular developer sites that had been hacked.
Malicious software can infect a computer or possibly an entire network of computers and allow spying, disruption or other nefarious shenanigans. A computer might be hijacked by installing something called a bot -- software that runs certain tasks automatically and can allow an outside user to control the computer unbeknownst to the owner. These are sometimes called zombie computers. There are networks of these hijacked machines called botnets that can be used to launch attacks against others.
There have been other notable attacks in the news of late. According to an investigation by a cybersecurity company called Mandiant, hackers in China broke into the New York Times network, apparently to spy on the e-mail of certain reporters writing about a high ranking Chinese official. A similar attempt was made against Bloomberg News. Attacks against other companies have also been traced to China, according to Mandiant [source: Bodeen].
Saudi Aramco, the world's largest oil producer, was attacked with a virus that replaced data on around 30,000 computers in the company with a picture of a burning U.S. flag, rendering the machines useless. These attacks were traced to a computer that was apparently not connected to the Internet, leading to speculation that it was an inside job.
Cyberattacks can be perpetrated by individuals seeking to show off their skills, criminals looking to steal intellectual property or financial information, terrorist groups aiming to wreak havoc and even governments for purposes of espionage or military activities. There are also sometimes breaches by activists or people who wish to point out potential security issues.The costs of the more ill-intentioned cyberattacks can be enormous and can include loss of trade secrets and other data, financial theft and the cost of clean-up and repair of infected systems, among other things. And the risks also include disruption of services that we all depend upon.
History of the Bill
The original CISPA was introduced as H.R. 3523 on Nov. 30, 2011 by Republican Mike Rogers of Michigan, chairman of the House Intelligence Committee, and co-sponsored by Democrat Dutch Ruppersberger of Maryland, ranking member of the same committee, as well as more than 20 other representatives, Democrat and Republican alike. It had the support of a lot of companies, including large telecommunications and tech companies, but faced a lot of opposition from civil liberties groups. On April 25, 2012, President Obama's administration even threatened that he would veto the bill for not doing enough to protect core infrastructure from cyberthreats and failing to protect the privacy, data confidentiality and civil liberties of individuals.
More than 40 amendments were proposed. Several pro-privacy amendments were rejected by the House Rules Committee on April 25. One amendment to allow the National Security Agency (NSA) or the Department of Homeland Security (DHS) additional surveillance authority was withdrawn on April 26. A few amendments were passed, increasing the original bill from 11 pages to 27 pages. These included the following:
- The Minimization Retention and Notification Amendment, which added provisions for notifying entities that have sent data that the government determines is not cyberthreat related, limitations on the use of the data and a statement that mentioned possible efforts to limit privacy and civil liberty impacts.
- The Definitions Amendment, which inserted or modified definitions for the terms "availability," "confidentiality," "cyber threat information," "cyber threat intelligence," "cybersecurity purpose," "cybersecurity system" and "integrity."
- The Liability Amendment, which changed the wording of a section waiving liability of private entities for sharing information to include identifying or obtaining cyberthreat information.
- The Limitation Amendment, which inserted a section that states that nothing in the bill will provide additional authority or modify existing authority of an entity to use a cybersecurity system owned by the federal government on a private-sector system or network.
- The Use Amendment, which adds language outlining the allowed uses of cyberthreat information shared with the government.
- A sunset clause was also added that makes the bill expire five years after its adoption.
The amended version of H.R. 3523 passed in the U.S. House of Representatives on April 26, 2012 by 248 to 168 votes, but never reached a vote in the U.S. Senate.
CISPA was reintroduced in the house by Senators Rogers and Ruppersberger in February 2013 under a different bill number, H.R. 624. It is virtually identical to the version of H.R. 3523 that passed the House in 2012.
Key Provisions of CISPA
CISPA concentrates entirely on sharing cyberthreat-related information between the government and private entities, and between private entities and other private entities. It makes provisions for government agencies to share both unclassified and classified information with private companies and utilities. For classified information, it specifies that the entities or individuals receiving information must be certified or have security clearance, and makes provisions for granting temporary or permanent security clearance to individuals within these entities.
It also allows for information sharing between private entities and other private entities, including cybersecurity firms hired by those companies to protect them. And it makes provisions for private entities to share information about cyberthreats with the federal government, and specifies that any agency receiving such information is to send it to National Cybersecurity and Communications Integration Center of the DHS.
CISPA exempts shared information from disclosure under the Freedom of Information Act and any similar laws enacted by state, local and tribal governments.The bill exempts companies (and cybersecurity firms hired to protect their systems) from lawsuits for sharing information, for using cybersecurity systems to identify or obtain cyberthreat information or for any decisions they make based on the cyberthreat information, provided they are acting "in good faith." A government agency, however, can be sued if it "intentionally or willfully violates" the information disclosure and use rules spelled out in the bill, with a statute of limitations of two years from the date of violation.
The bill includes limits on how the federal government may use the information shared with it. The five legitimate uses given are: cybersecurity purposes; investigation and prosecution of cybersecurity crimes; protection of individuals from death or serious bodily harm; protection of minors from child pornography, sexual exploitation and other related crimes; and protection of national security. The government is restricted from affirmatively searching the information for any purpose other than investigation and prosecution of cybersecurity crimes, and is restricted from retaining or using the information for any purpose other than the ones listed in the previous sentence. CISPA also specifically restricts the government from using library circulation records, library patron lists, book sales records, book customer lists, firearm sales records, tax return records, educational records and medical records.
The bill states that if information is shared with the federal government that it determines is not related to cyberthreats, the government must notify the entity that provided the information.
CISPA also dictates procedures and reports that must be developed and released by certain government entities.It makes all information sharing from private entities voluntary, with no penalties for choosing not to participate, and makes a statement that the bill is not an attempt to give any element of the intelligence community the right to dictate the cybersecurity efforts of any private or government agencies.
Cybersecurity purposes as defined within the bill include: efforts to protect against vulnerabilities; threats to integrity, confidentiality or availability; efforts to deny access, degrade, disrupt or destroy; and efforts to gain unauthorized access to systems and networks, as well as any information stored on, processed on or moving through them. This explicitly includes unauthorized access to exfiltrate (or remove) information, but excludes unauthorized access that only involves violations of consumer terms of service or licensing agreements. The definitions of cybersecurity systems and cyberthreat intelligence contain similar language.
Why is CISPA so controversial?
CISPA has taken a lot of flack for various reasons, including concerns about privacy, transparency, lack of judicial oversight and the possibility of it being used for surveillance of citizens' Internet activities under the guise of cybersecurity, national security and other vaguely defined terms.
One issue is that it uses blanket terms like "cyber threat intelligence" rather than strictly defining the types of data that can be shared, which could potentially allow companies to obtain and share any sort of information, including personally identifying information (PII), private communications and the like. CISPA does allow private entities to insist that the government anonymize, minimize or otherwise restrict the data they share, but it doesn't require the companies to make such restrictions.
In the subsection regarding the federal government's use of the shared information, there is a paragraph that addresses privacy and civil liberties, but it says, "The Federal Government may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyberthreat information with the Federal Government pursuant to this subsection." The use of the word "may" makes it sound voluntary, and there is no further definition of what these efforts might entail. In the section regarding the creation of an annual report on government use of the information, the bill dictates including "metrics to determine the impact, on privacy and civil liberties, if any," but there is no mention of how this information will be used.
The bill provides legal immunity to companies sharing information, even if it turns out they did it improperly, provided they acted in "good faith." It also allows immunity "for decisions made based on cyber threat information," but doesn't define "decisions made." From the companies' point of view, this allows them to freely share cyberthreat information and to act on that information without worrying about costly lawsuits, but it could completely curtail right of an individual or entity to sue for any harm done, since it is difficult to prove that someone didn't act in good faith. It has been argued that this immunity could also allow companies to do things like retaliation hacking of a suspected intruder to gain information or disrupt their systems.
Another controversial aspect of CISPA's wording is the potential it has to supersede a number of privacy laws.
More Problematic Language
CISPA potentially sidesteps judicial oversight through the term "notwithstanding any other provision of law," which overrides a lot of existing privacy laws, including the Wiretap Act, Cable Communications Act, Video Privacy Protection Act, Stored Communications Act and Electronic Communications Privacy Act -- acts that do provide rules and oversight regarding the sharing of personal information. In the case of CISPA, no warrant is required for the government to obtain personal information.
Even though individuals can sue the government if it willfully misuses their information, it could be very difficult to find out such a thing ever happened. Even if non-cyberthreat information is sent to the government, the government is only required to notify the sending entity, and no one is require to inform the person whose data was shared. And information shared is exempt from disclosure under Freedom of Information Act and other similar disclosure laws. There would have to be some obvious harm that pointed to the sharing, and it would have to be evident within two years of the time the federal government misused the data because of the statute of limitations.
CISPA is also under attack for not defining or limiting what government entities the information can be handed over to, aside from the stipulation that receiving agencies give it to the National Cybersecurity and Communications Integration Center of the DHS, which can share it with other agencies. The information could legally be given to any agency of the federal government, including intelligence agencies. How the government can use the information is defined broadly, as well, including "for cybersecurity purposes," which is somewhat vaguely defined in the bill, and "to protect the national security of the United States," which is fairly broadly defined in the National Security Act.
There is a notable dearth of terms related to technology in the bill. The word "computer" is only used within the definition of "cybersecurity crime" to include computer crimes in the list of possible violations. Otherwise, H.R. 624 refers to the things being protected as "systems and networks," which is somewhat ambiguous. The words and phrases "online," "Internet," "Web," "digital," "information technology" and even "technology" are never used.
The original version of the bill included theft of intellectual property as one of the cybersecurity purposes. This has been removed from the latest version of CISPA, and language was inserted to specify that cyberthreat information does not include efforts to gain access involving violations of consumer terms of service or licensing agreements. However, some groups still fear that it can be used to pursue things like copyright infringement.
CISPA doesn't provide the legal means for the government to directly monitor people's online activities and digital data, but it does allow companies to voluntarily give undefined types and amounts of information that they deem cyberthreat information to the federal government, and the government can keep and use this data for reasons of cybersecurity, national security and investigation of a few other crimes. This and the fact that it can be given to any agency are causing consternation since this could allow intelligence agencies a sort of sideways access to personal information.
No one is arguing that sharing information on emerging threats isn't important in the fight to secure computer systems and networks from the ever-growing threat of attack, but arguments are being made to place limitations on the types of information shared and with what entities it can be shared. The supporters of CISPA counter that the bill is not intended for surveillance, and that the immunities are necessary to encourage companies to share information without fear of lawsuit. The opponents argue that the risks to privacy and civil liberties are too great in the bill as currently written.
Efforts Made in Support of and Opposition to CISPA
A number of private companies and trade associations have expressed support for CISPA. Many of them sent letters of support to the U.S. House of Representatives for either H.R. 3423, H.R. 624 or both, including AT&T, Verizon, US Telecom, Comcast, Time Warner Cable, the National Cable & Telecommunications Association, Edison Electric Institute, Financial Joint Trades, Financial Services Roundtable, Boeing, Lockheed Martin, IBM, Intel, Oracle, Symantec, Microsoft, Facebook, TechAmerica, the Internet Security Alliance, Juniper Networks, the National Cable & Telecommunications Association and the Chamber of Commerce. Facebook and Microsoft both backed away a little after protests and stated or implied that they would support changes to the final legislation that addressed privacy concerns.
The letters of support include praise for breaking down existing barriers to the timely sharing of cyberthreat intelligence with private entities, not placing regulatory burdens on private companies and protecting them from frivolous lawsuits and legal uncertainty with regards to sharing information, among other things.
But some companies and organizations concerned with privacy and civil liberties have vigorously spoken out against CISPA, including the Electronic Frontier Foundation, the American Civil Liberties Union, Access Now, the American Library Association, the Society of American Archivists, the Cato Institute, the Center for Democracy and Technology, the Entertainment Consumers Association, the Sunlight Foundation, Reporters Without Borders, the Society of Professional Journalists, the Rutherford Institute, the Republican Liberty Caucus, Mozilla and Tech Freedom, among others. Notable individuals who have expressed concerns include former Representative and Presidential candidate Ron Paul, who called the bill "Big Brother writ large," and Tim Berners-Lee, the inventor of the World Wide Web. And of course, there was the President's veto threat.
The EFF and some other opposing groups organized a "Week of Action" in mid-April 2012 to protest CISPA, during which they waged a grassroots campaign asking people to sign petitions, write, call and tweet Congressmen and otherwise express opposition to the bill. Nearly a million people did so the first go round, but despite this activity, CISPA did pass in the House -- albeit with a few changes.
As of early spring of 2013, similar pushes are being made to protest the bill anew. Within a day or so of CISPA being reintroduced in the House, hundreds of thousands of online signatures were reportedly collected and delivered to the U.S. House Intelligence Committee. We likely haven't heard the end of vigorous arguments on both sides of the issue.
Alternatives to CISPA
Some notable alternatives to CISPA have been put forth, including two bills introduced in the Senate and an Executive Order issued by President Obama.
One of the Senate bills is the Cybersecurity Act (S. 3414) introduced by Senators Joe Lieberman (I-CT), Susan Collins (R-ME) and three other senators. It is a much longer (in excess of 200 pages) and more detailed bill than CISPA that opens up ways for private entities and the federal government to share information related to cyberthreats, puts oversight of sharing in the purview of the DHS and also allows for setting up cybersecurity guidelines to be followed on a voluntary basis, but with incentives for compliance by private entities. It creates the National Cybersecurity Council (NCC) to be made up of representatives from multiple agencies (both civilian and military) to coordinate with the private sector to assess computer system vulnerabilities and come up with the guidelines.
The Cybersecurity Act was amended to include more protections to privacy and civil liberties, including a guarantee that only civilian (non-military) organizations have access to shared cyberthreat information and an exemption of first-amendment protected activities from being identified as categories of critical cyber infrastructure. It also doesn't include national security as one of the possible uses of shared cybersecurity information, but it does let the federal government use the information for the other three reasons allowed under CISPA.
A rival bill introduced by Senator John McCain (R-AZ) and several co-sponsoring senators is called the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (SECURE IT Act, S. 3342). It is also a heftier bill than CISPA, coming in at more than 100 pages. It would facilitate information sharing between multiple government agencies and private entities on cyberthreats, strengthen criminal penalties related to cybercrimes, foster networking and information technology research and development and sharing of research, and would allow the Department of Commerce, Department of Homeland Security, and the National Security Agency (NSA) to coordinate on policies regarding cybersecurity efforts. It has faced many of the same criticisms as CISPA, including that it has an overbroad definition of cyberthreat information, places few limits on the types of information that can be shared and how it can be used (including cybersecurity purposes, national security purposes and a whole host of criminal prevention, investigation and prosecution purposes), similar "notwithstanding any other provision of law" language and oversight issues, such as the removal of lawsuit liability from companies and the shared information being exempt from the Freedom of Information Act. It is also criticized for putting a non-civilian entity (the NSA) in charge of information sharing.
The Current State of Affairs
As of early 2013, neither Senate bill passed, but in the wake of CISPA's resurrection in the House, President Obama issued an Executive Order (EO) that covers some of the ground of the proposed cybersecurity bills, including timely sharing of information on cyberthreats from the federal government to critical infrastructure entities and companies that provide cybersecurity services. It does not enable any new sharing of information in the other direction (from private companies to public entities). It takes an existing Defense Industrial Base (DIB) information sharing program called the Enhanced Cybersecurity Services program, which was put in place to allow the Department of Defense (DoD) and the DHS to share non-classified cybersecurity information with defense contractors and the like, and expands it by allowing it to cover the other government agencies and critical infrastructure sectors. Like CISPA, the EO addresses creating an avenue for critical infrastructure personnel to gain security clearance for the sharing of classified information. It charges the National Institute of Standards and Technology (NIST) and others to work collaboratively with industry experts to create a cybersecurity practices framework to help reduce cyberthreat risks to infrastructure, and calls on the DHS to develop incentives to promote adoption of the framework.
The EO also calls for the Chief Privacy Officer and Officer for Civil Rights and Civil Liberties of the DHS to assess privacy and civil liberties risks and make recommendations on how to minimize and mitigate those risks. They are to use the Fair Information Practice Principles (FIPP) and other related policies to evaluate cybersecurity activities to this end, and their assessments are to be made available to the public.
Since CISPA is under consideration once more, no rival cybersecurity bills have passed yet and cyberthreats appear to be on the rise, the debate on how best to handle cybersecurity, especially sharing of information from private industry to government, is far from over. But perhaps all the rousing debates and calls to action will help whatever laws are ultimately passed to best straddle the line between too much and too little sharing while providing real protections.
Author's Note: How CISPA Works
Being an IT worker, a writer and a heavy Internet user, I'm concerned about the security of our computers and networks. Lord knows I don't want my data stolen, or a cyberattack to take down the Internet or cut the power. How would I watch an entire season of "Downton Abbey" on Netflix while simultaneously writing an essay, checking e-mail and surfing the net for Grumpy Cat pictures?
But I'm equally concerned about privacy. The less of my data flowing out to people I never intended to look at it, the better. There is no telling how the NSA would interpret one of my short stories.
Reading through these bills and thinking about what could possibly go wrong due to wording issues was pretty fascinating. I'm sure that the drafters of all such legislation are by and large well-meaning people trying to proactively snuff out security threats. But "well-meaning" means about as much as "good faith" in legal terms. Not everyone on the planet has good intentions, as we are reminded daily by the news, and anything that can be used for ill or even just misguided purposes probably will be at some point. So I hope that whatever bill passes is extremely well-thought-out and vetted by industry, civil liberty and legal experts alike. Keep the Internet safe for Grumpy Cat.
- Albanesius, Chloe. "Obama's Cybersecurity Executive Order vs. CISPA: Which Approach Is Best?" PC Magazine. February 13, 2013. (March 11, 2013) http://www.pcmag.com/article2/0,2817,2415380,00.asp
- Biddle, Sam. "What is CISPA?" Gizmodo. April 26, 2012. (March 3, 2013)http://gizmodo.com/5905360/what-is-cispa
- Bodeen, Christopher. "Yang Jiechi, China's Foreign Minister, Dismisses Hacking Claims by U.S." Huffington Post. March 09, 2013. (March 09, 2013) http://www.huffingtonpost.com/2013/03/09/yang-jiechi-chinas-foreig_n_2844984.html
- Bradbury, Danny. "With cyber attacks on the rise, is your company's data secure?" Guardian. February 11, 2013. (March 9, 2013)http://www.guardian.co.uk/media-network/media-network-blog/2013/feb/11/cyber-attack-security-data
- Bucci, Steven P. "Securing U.S. Computer Networks with SECURE IT." The Heritage Foundation. July 16, 2012. (March 10, 2013) http://www.heritage.org/research/reports/2012/07/securing-us-computer-networks-with-secure-it
- Bumiller, Elisabeth and Thom Shanker. "Panetta Warns of Dire Threat of Cyberattack on U.S." New York Times. October 11, 2012. (March 6, 2013)http://www.nytimes.com/2012/10/12/world/panetta-warns-of-dire-threat-of-cyberattack.html
- CNBC. "Code Wars: America's Cyber Threat." (March 9, 2013)http://www.cnbc.com/id/42210831/Code_Wars_America039s_Cyber_Threat
- Couts, Andrew. "Not CISPA: Revised Senate Cybersecurity Bill Praised by Civil Liberty Advocates." Digital Trends. July 20, 2012. (March 9, 2013)http://www.digitaltrends.com/web/not-cispa-revised-senate-cybersecurity-bill-praised-by-civil-liberty-advocates/
- FBI. "Computer Intrusions." (March 9, 2013)http://www.fbi.gov/about-us/investigate/cyber/computer-intrusions
- FBI. "Spear Phishers - Angling to Steal Your Financial Info." April 1, 2009. (March 9, 2013)http://www.fbi.gov/news/stories/2009/april/spearphishing_040109
- Fitzpatrick, Alex. "CISPA Cybersecurity Bill Passes House, With Some Amendments." Mashable. April 26, 2012. (March 8, 2013)http://mashable.com/2012/04/26/cispa-passes-house/
- Fitzpatrick, Alex. "Internet Activists Deliver 300,000 Anti-CISPA Signatures to Congress." Mashable. February 15, 2013. (March 11, 2013) http://mashable.com/2013/02/15/cispa-petitions/
- Glass, Nick. "Cloud threats and firewalls: Internet guru demystifies cyber security." CNN. March 5, 2013. (March 9, 2013)http://www.cnn.com/2013/03/05/tech/threat-cloud-cyber-security/index.html
- Greenberg, Andy. "President Obama's Cybersecurity Executive Order Scores Much Better Than CISPA on Privacy." Forbes. February 12, 2013. (March 11, 2013) http://www.forbes.com/sites/andygreenberg/2013/02/12/president-obamas-cybersecurity-executive-order-scores-much-better-than-cispa-on-privacy/
- Gross, Doug. "Report: Eastern European gang hacked Apple, Facebook, Twitter." CNN. February 20, 2013. (March 9, 2013)http://www.cnn.com/2013/02/20/tech/web/hacked-apple-facebook-twitter
- Harris, Leslie. "CISPA: Progress, But Flaws Remain." Center for Democracy and Technology. April 24, 2012. (March 11, 2013) https://www.cdt.org/blogs/leslie-harris/2404cispa-progress-flaws-remain
- Hartman, Rachel Rose. "CISPA: The controversy surrounding it and how it might affect you." ABC News. April 27, 2012. (March 11, 2013) http://abcnews.go.com/Politics/OTUS/cispa-controversy-surrounding-affect/story?id=16229426
- Jackson, William. "McCain's retooled Secure IT act still a privacy threat, critics say." GCN. July 2, 2012. (March 10, 2013) http://gcn.com/Articles/2012/07/02/Secure-IT-Act-amended-critics-say-still-threat-to-privacy.aspx?Page=1
- Jaycox, Mark M. and Kurt Opsahl. "CISPA is Back: FAQ on What it is and Why it's Still Dangerous." Electronic Frontier Foundation. February 25, 2013. (March 3, 2013)https://www.eff.org/cybersecurity-bill-faq
- Jaycox, Mark M. "CISPA, the Privacy-Invading Cybersecurity Spying Bill, Is Back in Congress." February 13, 2013. (March 6, 2013)https://www.eff.org/deeplinks/2013/02/cispa-privacy-invading-cybersecurity-spying-bill-back-congress
- Kelly, Heather. "Cyber-criminals are targeting phones and bank info." CNN. February 21, 2013. (March 9, 2013)http://www.cnn.com/2013/02/21/tech/mobile/mcafee-threats-report
- Koebler, Jason. "Civil Liberties Organizations Launch Protests Against CISPA." US News & World Report. April 16, 2012. (March 11, 2013) http://www.usnews.com/news/articles/2012/04/16/civil-liberties-organizations-launch-protests-against-cispa
- Library of Congress - Thomas. "Bill Text Versions 112th Congress (2011-2012) H.R. 3523." (March 8, 2013)http://thomas.loc.gov/cgi-bin/query/z?c112:H.R.3523:
- Magid, Larry. "Privacy Advocates Prefer Obama's Cybersecurity Plan Over CISPA." Forbes. February 21, 2013. (March 8, 2013)http://www.forbes.com/sites/larrymagid/2013/02/21/privacy-advocates-prefer-obamas-cybersecurity-plan-over-cispa/
- Magid, Larry. "What is CISPA and Why Would the President Veto It?" Forbes. April 25, 2012. (March 9, 2013)http://www.forbes.com/sites/larrymagid/2012/04/25/what-is-cispa-and-why-would-the-president-veto-it/
- McCullagh, Declan. "How CISPA would affect you (faq)." CNET. April 27, 2012. (March 3, 2013)http://news.cnet.com/8301-31921_3-57422693-281/how-cispa-would-affect-you-faq/
- McCullagh, Declan. "Microsoft backs away from CISPA support, citing privacy." CNET. April 27, 2012. (March 11, 2013) http://news.cnet.com/8301-33062_3-57423580/microsoft-backs-away-from-cispa-support-citing-privacy/
- O'Grady, Jason D. "Apple, Facebook employees hacked via website malware, Java vulnerability." ZDNet. February 21, 2013. (March 09, 2013)http://www.zdnet.com/apple-facebook-employees-hacked-via-website-malware-java-vulnerability-7000011601/
- Opsahl, Kurt. "The CISPA Government Access Loophole." EFF. March 1, 2013. (March 8, 2013)https://www.eff.org/deeplinks/2013/02/cispa-government-access-loophole
- Perlroth, Nicole. "Connecting the Dots After Cyberattack on Saudi Aramco." New York Times. August 27, 2012. (March 6, 2013)http://bits.blogs.nytimes.com/2012/08/27/connecting-the-dots-after-cyberattack-on-saudi-aramco/
- Perlroth, Nicole. "Hackers in China Attacked The Times for Last 4 Months." New York Times. January 30, 2013. (March 6, 2013)http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?_r=0
- Peterson, Andrea. "Cybersecurity Bill Supporters Regroup As Executive Order Looms." Think Progress. February 6, 2013. (March 6, 2013)http://thinkprogress.org/security/2013/02/06/1548761/cispa-executive-order/
- Reitman, Rainey. "Even with Rogers' Amendments, CISPA is Still a Surveillance Bill." EFF. April 26, 2012. (March 8, 2013)https://www.eff.org/deeplinks/2012/04/even-rogers-amendments-cispa-still-surveillance-bill
- Reitman, Rainey. "Industry Experts to Congress: We Can Remove Personally Identifiable Information Before Reporting Cybersecurity Threats." EFF. February 16, 2013. (March 9, 2013)https://www.eff.org/deeplinks/2013/02/industry-experts-congress-we-can-remove-personally-identifiable-information
- Reitman, Rainey. "Victory Over Cyber Spying." EFF. August 2, 2012. (March 11, 2013) https://www.eff.org/deeplinks/2012/08/victory-over-cyber-spying
- Richardson, Michelle. "CISPA Claws Back to Life." ACLU. February 10, 2013. (March 9, 2013)http://www.aclu.org/blog/technology-and-liberty-national-security/cispa-claws-back-life
- Richardson, Michelle. "New Cybersecurity Amendments Unveiled to Address Privacy Concerns." ACLU. July 19, 2012. (March 9, 2013)http://www.aclu.org/blog/national-security-technology-and-liberty/new-cybersecurity-amendments-unveiled-address-privacy
- Richardson, Michelle. "President Obama Shows No CISPA-like Invasion of Privacy Needed to Defend Critical Infrastructure." ACLU. February 13, 2013. (March 6, 2013)http://www.aclu.org/blog/national-security-technology-and-liberty/president-obama-shows-no-cispa-invasion-privacy-needed
- Sasso, Brendan. "Longtime friends Lieberman, McCain divided over cybersecurity legislation." The Hill. March 14, 2012. (March 10, 2013) http://thehill.com/blogs/hillicon-valley/technology/215907-senators-mccain-lieberman-disagree-its-a-real-doozy
- Staff writer. "How a 'denial of service' attack works." CNET. February 9, 2000. (March 9, 2013)http://news.cnet.com/2100-1017-236728.html
- Steele, Patrick. "Voices of Opposition Against CISPA." EFF. April 19, 2012. (March 9, 2013)https://www.eff.org/deeplinks/2012/04/voices-against-cispa
- Symantec. "Advanced Persistent Threat (APT): The Uninvited Guest." (March 9, 2013)http://www.symantec.com/theme.jsp?themeid=apt-infographic-1
- Symantec. "Denial of service (DoS) attack." (March 9, 2013)http://www.symantec.com/security_response/glossary/define.jsp?letter=d&word=denial-of-service-dos-attack
- Symantec. "Man-in-the-middle attack." (March 9, 2013)http://www.symantec.com/security_response/glossary/define.jsp?letter=m&word=man-in-the-middle-attack
- Thrasher, Brown. "BREAKING: Senate CISPA Failes Cloture Vote." Daily Kos. August 2, 2012. (March 9, 2013)http://www.dailykos.com/story/2012/08/02/1116107/-BREAKING-Senate-CISPA-Fails-Cloture-Vote
- U.S. Government Printing Office. "S. 3342." June 27, 2012. (March 10, 2013) http://www.gpo.gov/fdsys/pkg/BILLS-112s3342pcs/pdf/BILLS-112s3342pcs.pdf
- U.S. Government Printing Office. "S. 3414." July 19, 2012. (March 10, 2013) http://www.gpo.gov/fdsys/pkg/BILLS-112s3414pcs/pdf/BILLS-112s3414pcs.pdf
- U.S. House of Representatives Permanent Select Committee on Intelligence. "Backgrounder on the Rogers-Ruppersberger Cybersecurity Bill." (March 5, 2013)http://intelligence.house.gov/backgrounder-rogers-ruppersberger-cybersecurity-bill
- U.S. House of Representatives Permanent Select Committee on Intelligence. "H.R. 3523 - Letters of Support." (March 11, 2013) http://intelligence.house.gov/hr-3523-letters-support
- U.S. House of Representatives Permanent Select Committee on Intelligence. "H.R. 3523 - The Bill and Amendments." (March 8, 2013)http://intelligence.house.gov/hr-3523-bill-and-amendments
- U.S. House of Representatives Permanent Select Committee on Intelligence. "H.R. 624." (March 6, 2013)http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/HR624.pdf
- U.S. House of Representatives Permanent Select Committee on Intelligence. "H.R. 624 - Letters of Support." (March 3, 2013)https://intelligence.house.gov/hr-624-letters-support
- U.S. House of Representatives Permanent Select Committee on Intelligence. "Myth v. Fact: Cyber Intelligence Sharing and Protection Act of 2013 (CISPA)." (March 6, 2013)http://intelligence.house.gov/sites/intelligence.house.gov/files/documents/cispamythvactFeb122013v2.pdf
- U.S. House of Representatives Permanent Select Committee on Intelligence. "Rogers & Ruppersberger Reintroduce Cybersecurity Bill to Protect the American Economy." February 13, 2013. (March 6, 2013)http://intelligence.house.gov/press-release/rogers-ruppersberger-reintroduce-cybersecurity-bill-protect-american-economy
- Vamosi, Robert. "Internet-scale 'man in the middle' attack disclosed." CNET. October 17, 2008. (March 9, 2013)http://news.cnet.com/8301-1009_3-10068327-83.html
- Vijayan, Jaikumar. "Privacy groups protest CISPA bill." Computer World. February 14, 2013. (March 11, 2013) http://www.computerworld.com/s/article/9236800/Privacy_groups_protest_CISPA_bill_
- Vijayan, Jaikumar. "Return of CISPA: Cybersecurity boon or privacy threat?" Computer World. March 1, 2013. (March 11, 2013) http://www.computerworld.com/s/article/9237262/Return_of_CISPA_Cybersecurity_boon_or_privacy_threat_
- White House. "Executive Order -- Improving Critical Infrastructure Cybersecurity." February 12, 2013. (March 6, 2013)http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
- White House. "Executive Order on Improving Critical Infrastructure Cybersecurity." February 12, 2013. (March 11, 2013) http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity-0
- Whittaker, Zack. "'Privacy killer' CISPA is coming back, whether you like it or not." ZDNet. February 8, 2013. (March 11, 2013) http://www.zdnet.com/privacy-killer-cispa-is-coming-back-whether-you-like-it-or-not-7000011056/