Sizing Up CISPA's Security Bona Fides
Apr 13, 2012 3:35 PM PT
The Cyber Intelligence Sharing and Protection Act (CISPA), which seeks to improve cybersecurity in the United States, is receiving a mixed reception.
Supporters include big names in the U.S. tech industry. Facebook, security vendor Symantec, Verizon, CTIA, IBM, Intel, Microsoft and Oracle are among them.
However, civil liberty advocates oppose the legislation, also known as Bill H.R. 3523. They've characterized the bill as akin to SOPA, the antipiracy legislation that went nowhere fast following massive online protests earlier in the year.
So, are the security measures proposed by CISPA good and effective? Or do they open a Pandora's box of potential problems?
Some of What CISPA Wants to Do
CISPA will let the intelligence community and cybersecurity entities share certain cyberthreat intelligence and cyberthreat information.
That sharing will be restricted to certified entities and people with appropriate security clearances. It must be consistent with national security needs, and the recipient of the intelligence must protect it against unauthorized disclosure.
Cybersecurity providers may, for security reasons, use systems to identify and obtain threat information to protect the rights and property of their clients. They'll be able to share that cyberthreat information with entities designated by the clients or with the U.S. federal government if the client expressly agrees. The information can only be shared with the federal government if it's specifically designated as a recipient.
Entities that protect themselves can do the same thing.
Information shared with the federal government will be exempt from disclosure, can't be disclosed outside of the federal government without permission, and can't be used by the feds for regulatory purposes.
The bill provides immunity from civil and criminal prosecution at both federal and state levels for organizations or their staff who use cybersecurity systems to gain information about cyberthreats or provide that information in good faith.
Support for the Bill
When asked for comment, Facebook spokesperson Andrew Noyes referred TechNewsWorld to a blog post by Joel Kaplan, the company's vice president of U.S. public policy. That post was supportive of CISPA.
CTIA president and CEO Steve Largent and CEOs from wireless companies that collectively serve 94 percent of America's wireless subscribers jointly wrote to the House Select Committee on Intelligence in support of CISPA. The proposed legislation would promote greater information sharing and improve security by disseminating real-time information to target and defeat cyberattacks, they said.
Verizon and Symantec did not respond to our request for comment for this story. What's Wrong With CISPA? The bill "uses extremely vague or broad language, leaving questions of effectiveness to be decided behind closed doors," Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, told TechNewsWorld. "The benefits of information-sharing seem to be a mixed bag at best, given the added complexity of setting up an information-sharing system."
Further, there's buggy code in all operating systems and applications, and often these bugs are used by hackers. "It's not clear how the bill makes our devices more secure without addressing those problems," Tien said.
The bill seeks to help secure intellectual property against theft. However, "part of what is not in the public debate is the bill proponents' case for why CISPA is the right answer, how its model addresses the specific threat model envisioned as to intellectual property," Tien pointed out.
"The CISPA legislation permits the sharing of so much information that we're worried about the ocean of data the government could get access to," Gregory Nojeim of the Center for Democracy and Technology told TechNewsWorld.
More CISPA Fears
Other concerns are that the bill will permit information sharing between various entities. It's raised questions about how the information shared will be used.
A statute that protects privacy "ought to say, if you're sharing information for cybersecurity reasons, it can be used for only cybersecurity reasons," Nojeim pointed out. "Instead, CISPA allows the government to use the information for any reason and allows it to be used for undefined national security reasons."
Yet another problem the bill's critics see is that by allowing private information to be shared notwithstanding any other provision of law, the authority granted by CISPA supersedes every other privacy protection law in place, Spencer Belkofer, founder of Lumin Consulting, told TechNewsWorld.
"If CISPA is passed, privacy policies [consumers sign individually with companies] will do nothing more than create a false expectation of privacy," Belkofer said.