CISPA, Redux.
Given the recent high-profile incidents regarding the systemic hacking of prominent news organizations, it’s not surprising to see cybersecurity move higher on Washington’s do-something list. To that end, last week word emerged that the House Intelligence Committee plans to reintroduce the Cyber Intelligence Sharing and Protection Act (CISPA) soon as another attempt to address some of the cybersecurity concerns facing the nation. Additionally, the Obama Administration is preparing to release its own executive order on cybersecurity matters in the very near future as well. Further, and perhaps quite conveniently, this week will see the release of a new National Intelligence Estimate (NIE) labelling China as the dominant threat to United States cybersecurity. And, of course, we have the usual media buzz about cybersecurity leading up to the industry's annual RSA Conference in a few weeks. February is turning out to be a very busy month for cybersecurity folks - but particularly those in Washington!
In terms of CISPA, it's common to see ‘information sharing’ and/or ‘improved information sharing’ between government and private sector entities proposed as a necessary remedy to help address our national cybersecurity problems. As I wrote last year (PDF), nearly every significant cybersecurity proposal or recommendation document since 1997 prominently identifies ‘information sharing’ as something that can help strengthen cybersecurity.
CISPA is the latest iteration of this oft-cited cybersecurity recommendation, but flawed in several ways, which my CIS colleague Jennifer Granick (among others) explored in-depth last year. Will CISPA 2.0 be any different or more effective if implemented than its predecessor? That might not matter, since recent cybersecurity incidents and sensational references to a “cyber 9/11” (here and here) made by senior Administration officials tend to stoke fear and force lawmakers into demonstrating the unfortunate nature of Politicians’ Logic: “something must be done [on a given issue]; this is something -- therefore, we must do it.”
Frankly, I believe the tools and processes to facilitate effective and meaningful cybersecurity information sharing already exist; there is no need to reinvent the wheel yet again or add controversial and/or questionable provisions to those processes. Rather, any new legislative and executive proposals related to ‘information sharing’ should focus on the unresolved problems of a) the over-collection of personal information in cyberspace along with its impact on personal privacy and b) the web of over-classifications, clearances and caveats (sometimes redundant and/or moronic in nature) that govern, if not also obstruct, how useful information -- including cybersecurity information -- is shared between interested people and organizations interested in or conducting cybersecurity operations.
That said, what I’m looking for -but not expecting to find- in CISPA 2.0 includes:
- Preventing the creation of what Jennifer Granick and Eric Goldman call the 'Cybersecurity One Percent' and what I term the 'CISPA Cartel'™. The original CISPA proposed developing yet another private cybersecurity information-sharing ‘club’ that likely would have high barriers of entry and lock up critical cybersecurity information in the hands of a select few while potentially excluding those who are best qualified to understand, contextualize, explain, and act upon it for the benefit of the Internet community as a whole. This reopens the so-called ‘vulnerability disclosure debate’ that’s raged within the cybersecurity community for nearly two decades.
- Removing blanket indemnification for companies disclosing security or operational vulnerabilities they discover about their products or services to the government or other ‘certified entities’ under the original CISPA. If so indemnified, there’s simply no incentive (or mandate) for them to fix such problems when challenged by those outside of the CISPA Cartel.™ In essence, vendors would receive a get-out-of-jail-free card when called to task for the quality, security, and resilience of their products by third parties -- that is, if such discoveries ever get made due to potentially broad interpretations of CISPA-mandated information restrictions. Monopolistic business practices are not conducive to cybersecurity!
- Abolishing the controversial ‘notwithstanding any other law’ language that would allow the original CISPA to override existing legal and regulatory frameworks and adversely impact things like public accountability, free markets, an informed citizenry, knowledgeable (or empowered) users, and assorted rights to privacy.
- Written (or otherwise on-the-record) assurances that CISPA’s provisions may not be used to enable more draconian technical restrictions or creative legal interpretations to protect intellectual property rights in cyberspace. Hollywood’s profit model is not a matter of national security, and should not be protected under laws allegedly enacted for such purposes. In other words, CISPA 2.0 must not be a stealthy SOPA 2.0.
That's for starters. Admittedly, my concerns may be misplaced depending on what the actual proposal says -- but we’ll know for sure when the draft legislative text is revealed. Stay tuned!
But speaking as someone with twenty years in the cybersecurity profession, if lawmakers truly are determined to improve cybersecurity, they will not fret again over who-has-access-to-what-type-of-information-and-when but rather engage in a robust effort to find, fund, and facilitate architectural improvements to America’s underlying cybersecurity infrastructure. The goal should be to acheive tangible, lasting, effective cybersecurity benefits that make our networks, data, and information services more resilient to many of the repeated security concerns that worry our lawmakers, corporations, and citizens. Anything less is doing what Chairman Rogers claims he is preventing with CISPA 2.0 -- namely, “admiring the problem.”
Last year, CNET’s Declan McCullagh reported that when the original CISPA was under consideration, Chairman Rogers pleaded with colleagues to ignore the various and poignant concerns expressed over the bill (which he shrugged off as “not true”) and to “Stand for America” by passing CISPA. One wonders if, in light of recent cybersecurity incidents and continued statements about a “cyber 9/11” such a patriotic appeal to fear will take place with CISPA 2.0 -- where shrill cries of “protecting the nation from cybercrime and cyberwar” will replace “think of the children” during markup hearings and lead to the enactment of controversial and ill-informed legislation.
Come to think of it, perhaps doing nothing is better than doing the wrong thing.