A Message About CISPA
More than 845 million people trust Facebook with their information, and maintaining that trust is at the core of everything we do. Keeping the site secure to protect our users and their information requires a combination of technological innovations; around-the-clock coverage from our dedicated staff; and relationships within the broader security community.
A successful defense against bad actors also requires that we have timely information about cyber threats. One challenge we and other companies have had is in our ability to share information with each other about cyber attacks. When one company detects an attack, sharing information about that attack promptly with other companies can help protect those other companies and their users from being victimized by the same attack. Similarly, if the government learns of an intrusion or other attack, the more it can share about that attack with private companies (and the faster it can share the information), the better the protection for users and our systems.
A number of bills being considered by Congress, including the Cyber Intelligence Sharing and Protection Act (HR 3523), would make it easier for Facebook and other companies to receive critical threat data from the U.S. government. Importantly, HR 3523 would impose no new obligations on us to share data with anyone –- and ensures that if we do share data about specific cyber threats, we are able to continue to safeguard our users’ private information, just as we do today.
That said, we recognize that a number of privacy and civil liberties groups have raised concerns about the bill – in particular about provisions that enable private companies to voluntarily share cyber threat data with the government. The concern is that companies will share sensitive personal information with the government in the name of protecting cybersecurity. Facebook has no intention of doing this and it is unrelated to the things we liked about HR 3523 in the first place -- the additional information it would provide us about specific cyber threats to our systems and users.
The overriding goal of any cybersecurity bill should be to protect the security of networks and private data, and we take any concerns about how legislation might negatively impact Internet users’ privacy seriously. As a result, we’ve been engaging directly with key lawmakers as well as industry and consumer groups about potential changes to the bill to help address privacy concerns.
The bill’s sponsors, House Intelligence Committee Chairman Mike Rogers and Ranking Member Dutch Ruppersberger, have stated publicly that they are working with privacy and civil liberties groups to address legitimate questions and concerns about how information might be shared with the government under the bill. They’ve made clear that the door is still open to change the bill before it comes to the House floor for consideration.
We hope that as Congress moves forward in considering this and any other cyber legislation, the result will be legislation that helps give companies like ours the tools we need to protect our systems and the security of our users’ information, while also providing those users confidence that adequate privacy safeguards are in place.
-- Joel Kaplan, Vice President-U.S. Public Policy