House Intelligence Committee Aide Blasts Electronic Frontier Foundation For a Campaign of "False" Information
BY Sarah Lai Stirland | Friday, April 20 2012
A top House Intelligence Committee aide working on cybersecurity legislation headed toward the House floor blasted the Electronic Frontier Foundation as "irresponsible" for comparing the legislation at hand to the controversial Stop Online Piracy Act that had the web community up in arms in January.
"We're going to call it SOPA, even though we're not sure that it's like SOPA -- that's kind of irresponsible," said Jamil Jaffer, an aide to the House Permanent Select Committee on Intelligence's Chairman Mike Rogers during a panel discussion Thursday night. The event was organized by the entrepreneurial group Hackers and Founders and CNET's chief political correspondent Declan McCullagh.
Rogers himself has been on the public relations offensive all week over his bill, the Cyber Intelligence Sharing and Protection Act, H.R. 3523, expected to come before the House for a vote next week. Though it has the support of many technology companies and business groups, and even Silicon Valley Congresswoman Anna Eschoo, many activist organizations such as the EFF and the Center for Democracy and Technology say the bill in its current form would undermine Americans' privacy rights online. Engine Advocacy, a new Silicon Valley tech entrepreneur advocacy group, dropped its opposition to the legislation last week after the committee removed the language about intellectual property, but remains neutral.
And in a Tuesday blog post, EFF Staff Technologist Dan Auerbach charged that the legislation could allow companies to filter or block Internet traffic:
"But as we've written in the past, CISPA is a bill that allows for companies to spy on users, pass along the information to government agencies like the NSA, and potentially filter or block Internet traffic, which could serve as justification for action against sites like Wikileaks. That's why we're calling on users to contact Congress to speak out against this bill ..."
Jaffer tuned into the discussion taking place in downtown San Francisco from his apartment in DC via Google+ on Thursday night. He blasted Auerbach for the post, charging that it's "just plain false."
"Anyone here can go on our web site and can read it for themselves," he said. "It says nothing about blocking. There's this canard out there that there is some countermeasures problem here, and there's nothing about countermeasures. Countermeasures is not addressed. There's no secret agenda here. I'm astounded to hear this continuous drumbeat of 'we don't know what it does.'"
Auerbach, who was also speaking on the panel, responded, "I think that this bill is like SOPA only in that the Internet community really wasn't consulted. It really was just the large companies that don't speak for the civil liberties community. I think it's irresponsible to engage in fear-mongering without giving evidence."
"We know for a fact," Jaffer responded, "that the nation is currently under attack, by nation state actors like China. The Chinese are all over our networks and they're stealing our intellectual property and economic information day in and day out."
"It's a constant sucking sound," as the information is being drained out of corporate and public sector networks, he shot back.
Still, many of the engineers in the audience didn't appear convinced by Jaffer's attempt to explain the Intelligence Committee's approach to information sharing.
Many of them asked why the legislation didn't use more specific language to pinpoint what kind of attack information could be delivered from the private sector to the government.
"We're OK with attack vector descriptions, but what we're not OK with is 'Here's the slave to my database, this is my entire database dump' — that's what we're not OK with, and that's why we're upset and concerned," said Jonathan Nelson, founder of Hackers and Founders.
"I read the bill for five or six hours, and I'm still fuzzy about what 'cybersecurity threat information' is," he said. "If it's just malware signatures, or source code, then just put that in the bill."
But Jaffer said that that the committee had discussed that approach extensively with stakeholders in the debate and it just wasn't a workable one.
"You can't make a list of the things that will attack the system because technology changes so fast," he said. "If you write 'malicious portscan,' that's what's going to be in the law," even though the technology might change over time.
Though there was a clear disagreement between Jaffer and the Silicon Valley types in the audience about the committee's approach to the way private sector network threat information should be shared with the government, the tone of the panel was generally convivial.
Jim Dempsey, the Center for Democracy and Technology's vice president of public policy, reassured the members of the audience that "the online draft is not the end of the process, and I'll be talking to Jamil tomorrow morning, so we're making progress."
However, he said that the role of the Internet community has been crucial to getting the CDT's complaints heard. Dempsey acknowledged that committee staff had met with CDT many times during the writing of the legislation, but that none of their suggestions for the legislation were heeded until the Internet community started blogging and making noise online about the privacy and intellectual property implications of the legislation.
"The process here is working now, and this is different in some ways from SOPA," he said. "Chairman Rogers did not want his bill to suffer the fate of the SOPA bill. They have engaged with us extensively, and that has happened because of the press coverage and the grassroots activity, and because of the blogging and I think for the Internet community this is very important."
Crucial changes that CDT would like to see to the legislation include clearer language on making the Department of Homeland Security the main co-ordinating agency in the information sharing agreement, and not the National Security Agency, and the removal of language that CDT says would remove liability from companies for violating existing privacy and criminal laws. That language is the part that says that "notwithstanding any other provision of law," companies can share information "with any other entity, including the federal government."
The headline of this post has been corrected. The article has also been updated to reflect that while Engine Advocacy dropped its opposition to the legislation, the group is now not taking an official position on it.