On CISPA: Threat info sharing shouldn't be a spy project
Information sharing, at its core, is among the most effective ways to fight cyber crime. Plainly put, the saboteurs do it, so why shouldn't the very organizations that those adversaries seek to attack. Learning the details about a successful intrusion or attempted intrusion, such as the tactics used and who was behind it, can go a long way to help a peer prevent a similar fate.
There have been many successful law enforcement- and industry-led efforts, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC), to promote this type of collaboration among the good guys. But now, it seems, Congress wants to codify the sharing of data through the Cyber Intelligence and Sharing Act (CISPA), which is due for a full House vote on Friday. Sounds great, right? Not really. The proposal vastly overreaches, at the expense of Americans' coveted freedoms and civil liberties.
Make no mistake, CISPA is not SOPA, the anti-piracy bill that was squashed earlier this year amid an unprecedented outcry from critics, including some of the most well-known web giants, such as Reddit and Wikipedia, which went dark for a day to protest the measure.
But CISPA is a very dangerous proposal in its own right. You see, when the sharing of threat intelligence data becomes the sharing of people's personal data with our three-letter agencies (without judicial oversight), serious problems come into play, and a murky-language-filled bill that is meant help secure cyber space becomes an example of expansive and excessive surveillance on the open internet as we know it. As CNET's Declan McCullagh explains:
What sparked the privacy worries [about CISPA] -- including opposition from the Electronic Frontier Foundation, the American Library Association, the ACLU, and the Republican Liberty Caucus -- is the section of CISPA that says "notwithstanding any other provision of law," companies may share information "with any other entity, including the federal government."
By including the word "notwithstanding," CISPA's drafters intended to make their legislation trump all existing federal and state civil and criminal laws. It would render irrelevant wiretap laws, web companies' privacy policies, educational record laws, medical privacy laws, and more. (It's so broad that the non-partisan Congressional Research Service once warned (PDF) that using the term in legislation may "have unforeseen consequences for both existing and future laws.")
CISPA strikes me as another example -- cough, NDAA, cough -- of powers meant to stop the real criminal being turned back around on the people. Often, the justification for passing these laws amounts to nothing more than instilling fear over an unknown enemy, who, in the case of cyber, is some shadowy figure one line of code away from knocking out the lights from Boston to Bakersfield. For some context into how high the levels of fear mongering can reach, just read this U.S. House Committee on Homeland Security press release, issued Tuesday, for context.
Cyber threats are very real. Not so much the "cataclysmic" events that are designed to ruin "our way of life," as Rep. Peter King of New York would have you believe, but more likely the silent killers, like the commercially available exploit kits customized to steal bank login data, or the more stealthy espionage malware created to pillage trade secrets.
The intentions of legislation like CISPA -- and this perhaps is giving our lawmakers too much credit -- seems in the right place. Admittedly, threat information sharing is sometimes riddled with difficulties, including concerns over competition and legal complexities. Making the process more seamless is commendable.
But surely this can still be obtained without eroding the civil liberties and Constitutional rights of Americans.