• United States



Need proof that CISPA stinks? Open your history books

Apr 23, 20126 mins
Data and Information SecurityPrivacy

Fear is always the spark that ignites the push for insidious laws. The PATRIOT Act comes to mind. So does the thankfully-tabled SOPA -PIPA legislation in that the entertainment industry was frightened by changes in how we get our music and videos and lobbied for censorship legislation instead of working on a better business model.

Now we’re scared over cybersecurity. We’re not in the state of blind fear we were in after 9-11, but we’re scared enough to do something stupid. 

After 9-11, all we saw on the news were reports of another spectacular attack in the works and how terrorists were looking for nuclear, chemical and biological weapons so they could kill millions more. Frightened numb, we allowed Congress to pass the PATRIOT Act — a law that empowered the government to spy on us like never before.

We didn’t care, because we wanted to be safe.

Now all we hear about are the attacks evil hackers are planning: downing the power grid in political protest, siphoning bank accounts dry; Chinese operatives hijacking American defense systems and, worst of all — terrorists taking down the entire Internet we’ve all become so dependent upon.

At SOURCE Boston last week, security luminary Dan Geer reminded attendees of something former White House chief of staff and current Chicago Mayor Rahm Emanuel said in the darkest days of the Great Recession in 2009: “Never let a good crisis go to waste.” Geer brought up the quote to point out that government will always take a mile when we give it an inch in a crisis atmosphere. In this case. Emanuel wanted to use the economic crisis as the stick by which Congress would pass sweeping laws to reform the healthcare system and change the face of the economy. Though the economy remains sluggish, the atmosphere of imminent doom receded to the point where Congress felt less inclined to give Obama the kind of first hundred days FDR enjoyed at the height of the Great Depression.

Now, I’m not going to tell you the cyber threat is a bunch of claptrap; that security vendors and government officials have launched a vast conspiracy to fool us.

The threats are real. I just think we should approach the threat the way the British did at the height of the German Blitz during WW II. They refused to cower and worked hard to keep life as business-as-usual as one possibly could with bombs dropping from the sky.

Let’s look at the current version of  the Cyber Intelligence Sharing and Protection Act ( CISPA), which was introduced last November and is scheduled for a vote in the U.S. House of Representatives sometime this week.

According to the full summary of  H.R.3523:

–Cyber Intelligence Sharing and Protection Act – Amends the National Security Act of 1947 to add provisions concerning cyber threat intelligence and information sharing.

–Defines “cyber threat intelligence” as information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from: (1) efforts to degrade, disrupt, or destroy such system or network; or (2) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

–Requires the Director of National Intelligence to: (1) establish procedures to allow intelligence community elements to share cyber threat intelligence with private-sector entities, and (2) encourage the sharing of such intelligence.

–Requires the procedures established to ensure that such intelligence is only: (1) shared with certified entities or a person with an appropriate security clearance, (2) shared consistent with the need to protect U.S. national security, and (3) used in a manner that protects such intelligence from unauthorized disclosure. Provides for guidelines for the granting of security clearance approvals to certified entities or officers or employees of such entities.

–Authorizes a cybersecurity provider (a non-governmental entity that provides goods or services intended to be used for cybersecurity purposes), with the express consent of a protected entity (an entity that contracts with a cybersecurity provider) to: (1) use cybersecurity systems to identify and obtain cyber threat information in order to protect the rights and property of the protected entity; and (2) share cyber threat information with any other entity designated by the protected entity, including the federal government. Regulates the use and protection of shared information, including prohibiting the use of such information to gain a competitive advantage and, if shared with the federal government, exempts such information from public disclosure. Prohibits a civil or criminal cause of action against a protected entity, a self-protected entity (an entity that provides goods or services for cybersecurity purposes to itself), or a cybersecurity provider acting in good faith under the above circumstances.

–Allows the federal government to use shared cyber threat information only if: (1) the use is not for a regulatory purpose, and (2) at least one significant use purpose is either for cybersecurity or the protection of U.S. national security. Prohibits the federal government from affirmatively searching such information for any other purpose.

–Directs the Inspector General of the Intelligence Community to submit annually to the congressional intelligence committees a review of the use of such information shared with the federal government, as well as recommendations for improvements and modifications to address privacy and civil liberties concerns.

–Preempts any state statute that restricts or otherwise regulates an activity authorized by the Act.

Several privacy rights groups — including the Electronic Frontier Foundation (EFF), the Center for Democracy and Technology (CDT), the American Civil Liberties Union (ACLU), and Fight for the Future — say the bill “would allow Internet companies and the government to collect virtually any private online user content under the pretext of cybersecurity.” Lawmakers have offered changes  to help prevent the government and businesses from running wild in its pursuit of personal data, but critics are not satisfied.

Are critics over-inflating the potential evil in this bill? Perhaps. Hyperbole has been bouncing around the halls of Congress since the beginning of the republic, and it usually comes from those fighting for AND against a particular piece of legislation.

But my gut tells me there has to be a better way to improve cybersecurity than CISPA in its current form.

If the bill’s sponsors aren’t really out to give the government absolute power, we’ll need to see some sharp language in there to ensure clear ground rules for what government can and cannot do during a cybersecurity investigation.

No amount of security is worth it if our liberty is diminished as a result.