An online activist site has collected 300,000 signatures in opposition to a pending "cyber-security" bill that critics say would allow increased government spying on the Internet. The petition focuses on a bill by Rep. Mike Rogers (R-MI), but his legislation is one of at least four proposals now being considered by Congress.

According to Jerry Brito, a researcher at the Mercatus Center at George Mason University, there are four competing bills because the two parties—and the two houses of Congress—disagree about how best to deal with online security issues. One point of controversy is over who will take the lead on the issue, the Department of Homeland Security or the National Security Agency. A bill by Senator Joseph Lieberman (I-CT), which would have given the leading role to DHS, was originally expected to pass easily through the Senate. But several Senate Republicans, led by Sen. John McCain (R-AZ) were dissatisfied with the Lieberman bill and introduced competing legislation that envisioned a larger role for the NSA.

The ensuing partisan gridlock in the Senate created an opening for the House to act, and at least two pieces of legislation have been introduced in the lower chamber. The leading bill, by Rep. Mike Rogers (R-MI), follows Senate Republicans in allowing sharing with the NSA. It focuses on facilitating information sharing, both between the government and the private sector, and between private network operators. It exempts "cyber-security" information-sharing from other legal restrictions, and it immunizes network providers from liability for failing to act on information they receive under the provisions of the act.

A competing bill sponsored by Rep. Dan Lungren (R-CA), places stricter limits on which agencies can receive information and what they can do with it.

"Classic case of overreach"

Ars Technica asked Jim Dempsey of the Center for Democracy and Technology to evaluate the competing bills. He argued that all four bills go too far in allowing private companies broad authority to share information with the government. He said the Rogers and McCain bills, in particular, "allow private companies very broadly to share cyber-security information with the government," including the NSA.

Dempsey argued that was troubling. "The NSA is responsible for protecting the government's classified systems," he said. "It's not responsible for protecting private networks. The agency should not be getting routine disclosure of information about private information over private networks." Dempsey said the House bill by Rep. Dan Lungren (R-CA) is the narrowest of the four bills, requiring that information shared with the government only be used for "cyber-security" purposes.

Still, Dempsey questioned whether new legislation authorizing private-to-government information sharing was needed at all. "If you're being attacked, either in the real world or the cyber world, you're always permitted to disclose that information to the government," he said. He said that CDT could support legislation to clarify that private firms are allowed to report network intrusions to the government, but he said the current proposals are a "classic case of overreach."

Dempsey did voice support for a few other tweaks to the law. He suggested Congress should update wiretapping law to make it clear that service providers are allowed to share information about attacks with one another. Under existing law, he said, service providers are allowed to monitor their own networks for security purposes, but it's unclear how much information a network provider can share with other networks to help coordinate defenses against online attacks.

Unintended consequences

Dempsey said this approach—focusing on narrow fixes to existing statutes—hasn't been popular on Capitol Hill. He said the lawmakers he has spoken to have expressed doubt about whether wiretapping law was the only obstacle to effective network security measures. But rather than trying to figure out what other legal obstacles to information sharing might exist, and fixing them directly, the leading bills all grant broad exemptions for sharing information related to "cyber-security."

That has the obvious advantage of reassuring network providers that they can share information without legal problems. But it could also have significant unintended consequences. By granting firms who share information broad immunity from other provisions of law, Congress may be effectively changing any number of other statutes. Dempsey described it as a "blunt instrument," and warned it could become a loophole for circumventing any number of important privacy protections.

Brito is even more skeptical than Dempsey about the need for new legislation. He argues that private parties already have ample incentives and capabilities to lock down their own networks. If the government has information that would be helpful to the private sector, it should share it, he said. That doesn't require action by Congress.

The breadth of the proposals, and especially Rep. Rogers's Cyber Intelligence Sharing and Protection Act, has sparked a growing public backlash, with some opponents comparing the bill to the Stop Online Piracy Act that was defeated in January. The comparison is a bit of a stretch; SOPA was focused on blocking access to information, while the current crop of "cyber-security" bills are more focused on network monitoring and information sharing with the government.

But the bills do have one important similarity: they're likely to attract many of the same enemies. The Internet freedom activists who helped kill SOPA in January have been looking for their next target. And CISPA seems like a good choice.