Stanford CIS

CISPA, Redux.

By Richard Forno on

CISPA, Redux.

Given the recent high-profile incidents regarding the systemic hacking of prominent news organizations, it’s not surprising to see cybersecurity move higher on Washington’s do-something list.  To that end, last week word emerged that the House Intelligence Committee plans to reintroduce the Cyber Intelligence Sharing and Protection Act (CISPA) soon as another attempt to address some of the cybersecurity concerns facing the nation. Additionally, the Obama Administration is preparing to release its own executive order on cybersecurity matters in the very near future as well.  Further, and perhaps quite conveniently, this week will see the release of a new National Intelligence Estimate (NIE) labelling China as the dominant threat to United States cybersecurity.  And, of course, we have the usual media buzz about cybersecurity leading up to the industry's annual RSA Conference in a few weeks. February is turning out to be a very busy month for cybersecurity folks - but particularly those in Washington!

In terms of CISPA, it's common to see ‘information sharing’ and/or ‘improved information sharing’ between government and private sector entities proposed as a necessary remedy to help address our national cybersecurity problems. As I wrote last year (PDF), nearly every significant cybersecurity proposal or recommendation document since 1997 prominently identifies ‘information sharing’ as something that can help strengthen cybersecurity.

CISPA is the latest iteration of this oft-cited cybersecurity recommendation, but flawed in several ways, which my CIS colleague Jennifer Granick (among others) explored in-depth last year.  Will CISPA 2.0 be any different or more effective if implemented than its predecessor?  That might not matter, since recent cybersecurity incidents and sensational references to a “cyber 9/11” (here and here) made by senior Administration officials tend to stoke fear and force lawmakers into demonstrating the unfortunate nature of Politicians’ Logic: “something must be done [on a given issue]; this is something -- therefore, we must do it.”

Frankly, I believe the tools and processes to facilitate effective and meaningful cybersecurity information sharing already exist; there is no need to reinvent the wheel yet again or add controversial and/or questionable provisions to those processes. Rather, any new legislative and executive proposals related to ‘information sharing’ should focus on the unresolved problems of a) the over-collection of personal information in cyberspace along with its impact on personal privacy and b) the web of over-classifications, clearances and caveats (sometimes redundant and/or moronic in nature) that govern, if not also obstruct, how useful information -- including cybersecurity information -- is shared between interested people and organizations interested in or conducting cybersecurity operations.

That said, what I’m looking for -but not expecting to find- in CISPA 2.0 includes:

That's for starters.  Admittedly, my concerns may be misplaced depending on what the actual proposal says -- but we’ll know for sure when the draft legislative text is revealed.  Stay tuned!

But speaking as someone with twenty years in the cybersecurity profession, if lawmakers truly are determined to improve cybersecurity, they will not fret again over who-has-access-to-what-type-of-information-and-when but rather engage in a robust effort to find, fund, and facilitate architectural improvements to America’s underlying cybersecurity infrastructure.  The goal should be to acheive tangible, lasting, effective cybersecurity benefits that make our networks, data, and information services more resilient to many of the repeated security concerns that worry our lawmakers, corporations, and citizens. Anything less is doing what Chairman Rogers claims he is preventing with CISPA 2.0 -- namely, “admiring the problem.”

Last year, CNET’s Declan McCullagh reported that when the original CISPA was under consideration, Chairman Rogers pleaded with colleagues to ignore the various and poignant concerns expressed over the bill (which he shrugged off as “not true”) and to “Stand for America” by passing CISPA.  One wonders if, in light of recent cybersecurity incidents and continued statements about a “cyber 9/11” such a patriotic appeal to fear will take place with CISPA 2.0 -- where shrill cries of “protecting the nation from cybercrime and cyberwar” will replace “think of the children” during markup hearings and lead to the enactment of controversial and ill-informed legislation.

Come to think of it, perhaps doing nothing is better than doing the wrong thing.