Sophos Cloud Optix
Internet advocacy groups are lining up to scream and yell about a US bill proposed to amend the National Security Act (NSA) of 1947 called the Cyber Intelligence Sharing and Protection Act (CISPA).
While it seems nearly everyone has an opinion about the act, most of the reporting seems to focus on those who can speak the loudest.
I figured I would weigh in on what the act is intended to do and why civil liberties groups are so concerned about it.
The intention of the act is to explicitly add “cybercrime” to the list of offenses that fall under the National Security Act. This includes attempts to disrupt or destroy US computer networks and attempts at unauthorized access and theft of data from these systems.
Another component of the act would grant the government the ability to share information between the public and private sectors to facilitate better defensive cooperation and information to assist in criminal investigations.
It all sounds pretty reasonable on the surface, right?
As usual the devil is in the details and that is where this bill gets particularly messy.
Early versions of the bill used the following wording to define theft from US computer systems:
"theft or misappropriation of private or government information, intellectual property, or personally identifiable information"
Immediately groups like the Electronic Frontier Foundation (EFF) and the Center for Democracy and Technology decried the bill as SOPA part two.
It has commonly been referred to as “son of SOPA” in the press because the bill specifically makes statements about intellectual property.
While there is little room for vagueness in legislation, I do not believe that was the intention of the statement.
The authors claim the purpose was to include the theft of intellectual property pertaining to trade secrets, industrial designs and other information the US has accused China of stealing en masse from US companies.
The offending statement about intellectual property has been removed in current versions of the bill.
The larger concern for many was the expectation that US companies would share information about cyberattacks with the US government and the bill does not specifically prohibit sharing personal information or adequately restrict its usage.
The EFF in particular takes issue with wording from the bill that states “Private information may be shared notwithstanding any other provision of law.”
That is indeed some pretty scary wording, which has led the White House to respond.
Without mentioning CISPA, National Security Council spokewoman Caitlin Hayden was quoted in The Hill as saying:
"Also, while information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens. Legislation without new authorities to address our nation’s critical infrastructure vulnerabilities, or legislation that would sacrifice the privacy of our citizens in the name of security, will not meet our nation's urgent needs"
This time I think the White House has it right. Information sharing, even if only between private sector organizations, is critical to our building an effective defense.
It may also be the key to being able to more accurately identify our adversaries and the methods they are using to gain access to our systems.
While some industries share information and have a reasonable picture of what we are up against, most do not.
To accomplish these goals by casting our privacy rights in the trash heap in a rush to be “secure” is more insane than doing nothing at all.
We have seen too many laws take away our rights in the name of security already, with little to nothing to show for it.
I know it might sound crazy… But perhaps we can respect current privacy protections and still share information with one another for the betterment of all of our security?
I know it sucks, that means you will actually have to care and try a little harder, but there are still two viable options available to you.
You can decide it is too hard and continue to suffer attacks, have your business plans stolen and struggle to survive in an ever more competitive market or you can respect the law and your customers, work extra hard to together with others in your position and be stronger for it in the long run.
Creative Commons image of three monkeys courtesy of Jebulon.
People are upset about this because there’s been a steady erosion of privacy in the name of security is 9/11. The argument that citizens have to give up privacy for security is false. Give up privacy and security is meaningless. See GWU law professor, Daniel Solove’s “Nothing to Hide: The False Tradeoff Between Privacy and Security”. Yale UP. 2011.
Ben Franklin once said, “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.”
CISPA appears to be a handy " law " to have, if all it did was find some place to " house " cybercrime.But the problem is that CISPA isn't just about finding a statute to use when cybercrime is prosecuted.It tries to " define " cybercrime & present a method of sharing information between private companies, private individuals, & the government… all without mentioning the words warrant &/ subpoena.As far as sharing with private individuals goes, said private individual must have proper " security clearance " from either the government or their company.CISPA doesn't limit what type of information about a private individual can be shared, it only limits what type of private individual with whom the information can be shared.Actually,CISPA seems pretty well useless to me.There are already systems in place that do what CISPA claims to do without doing what it actually does.The problem is that these systems require either a warrant or a subpoena when they are dealing with the data of a private individual or company.CISPA would try to do away with this requirement.
Trashing Due-Process., I agree with Freida. This is what it's all about.
Great article, Chet.
CISPA is a symptom of a much deeper problem — one that most people don't even recognize. I'm talking about the presumption that the perversion we've come to view as "government" MUST wield irresistible coercive power in order to protect us.
It's a myth. The state never hesitates to wield the power, yet it never manages to provide any real protection. In the process, it steals our money, our property, our privacy, and in some cases our very lives in order to "protect" what's left.
It's not working. Every time they pass another one of these idiotic laws, we lose more freedom. It's always so easy to justify it; there's always some boogeyman…some fear that they use to sell it. And that's how our liberty has been eroded, degree by degree.
Occasionally, even those who run the mechanism of state manage to cough up a warning…
"A government that's big enough to give you everything you want is big enough to take it all away." – Barry Goldwater
"Government is not reason; it is not eloquent; it is force. Like fire, it is a dangerous servant and a fearful master." – George Washington
…but no one pays any attention.
It's an addiction, this obsessive belief that "government" can solve all our problems. Unless we come to our senses and learn to take more responsibility for our own security, the addiction will eventually prove to be fatal to human freedom.
We, the people, are going to have to bite the bullet and start voting for independent senators and representatives.
Consider the GOOOH movement. It is a group of people seeking to field and elect average, everyday citizens to the house of representatives. People like Sally the waitress, Ben the car mechanic, Ed the baker, Jane the caterer. They know you can't keep spending more then you earn. People like them would vote NO to wasteful spending and slowly, steadily, get America back on sound money policy.
Both of the current parties have been complicit in the wasteful spending and dangerous policies that have buried the US in harmful debt.
Vote the morons out and get some citizens in there. It was supposed to be a government OF the people, FOR the people, and BY THE PEOPLE.
Not of, by, and for a group of over payed, unpatriotic lawyers.