Springtime for CISPA

Spring is here. The flowers are in bloom, the days are longer, and Congress queues up for another legislative proposal to 'address' cybersecurity in the United States. Yes -- springtime is CISPA-time.

Last year, on April 18, 2013, I discussed the "Cybersecurity Information Sharing and Protection Act" (CISPA) as it moved through the US House.  (And thankfully failed.)

Today, on April 29, 2014, I am reporting that a draft version of what already is being considered CISPA 3.0 (PDF) now is floating around the US Senate -- although perhaps this should be considered 'Son of CISPA' as it drops the "P" and now is called the "Cybersecurity Information Sharing Act of 2014."

Upon a very brief initial review, CISPA 3.0 continues the controversial proposal of granting broad immunities (including anti-trust) to technology companies for sharing cybersecurity information with "any other entity or the federal government" even if they do not fix the underlying problems and/or disclose them publicly to customers. "Any other entity" is fairly vague, and could range from established organisations like US-CERT and respected commercial security centers to a private administrative entity created exclusively for companies to "report" security information to and gain CISPA 3.0-provided immunities

The proposal also takes a very broad view of what information can be shared and with whom -- a concern that previous versions of CISPA and many of the ongoing Snowden revelations confirm are viable privacy concerns for global Internet citizens.  However, while some attention is given to address privacy in this proposal, there remains a fair amount of legal flexibility both in its overall interpretation and for exigent circumstances that can render such privacy features moot.  Which, of course, are situations that never occur, right?

Interestingly, this proposal defines 'countermeasures' as "any action, device, procedure, technique, or other measure that meets or counters a threat, vulnerability, or attack by eliminating or preventing it, or by minimizing the harm it may cause."  While I need to re-read the entire proposal again, my initial reaction is to wonder how this language releates to active cybersecurity countermeasures (e.g., "strikeback" techniques) implemented by non-government entities against alleged sources of attack.

More to follow as it develops. 

Add new comment