The question I’ve been asked most this week is: Why are we opposed to the Cyber Intelligence Sharing and Protection Act (CISPA)?
Public interest groups including Center for Democracy and Technology (CDT), the Electronic Frontier Foundation (EFF), and the American Civil Liberties Union (ACLU), have been vocal in decrying its potential devastation of consumer privacy online by virtually eliminating the First and Fourth Amendments.
That would be reason enough for us to want to see this measure abandoned by the US Senate, but we also have additional concerns based on our organizational mission.
The DCIA is focused on commercial advancement of distributed computing technologies - such as cloud computing - and as InfoWorld, among others, reported this week, “CISPA poses a threat to the privacy of entire organizations, from non-profits and small businesses on up to enterprises - and even to the very future of cloud computing.”
While the ill-conceived measure purports to address an issue around which there’s general consensus - cybersecurity - it fails to accomplish that, while it would instigate a dangerous regime with a high potential for disastrous consequences.
As Congressman Markey (D-MA) opined this week, it should be called the cyber “insecurity” bill because it allows sensitive information to be shared with the federal government with impunity, even if it is not related to cybersecurity, and permits the government to use that data to spy on its citizens. Congressman Joe Barton (R-TX) agreed with Markey.
What CISPA does not do is require entities to disclose what they are doing to protect cybersecurity - or even to reveal when they have been attacked. What it does is condone the sharing of proprietary and confidential material in the total absence of judicial oversight.
Under the House-approved measure, the federal government, public agencies, utilities, and private organizations designated as “certified entities” would be able freely to circulate customer data without due process and without any fear of reprisal if supposed “concerns” regarding the data turned out to be totally unfounded.
Under the vague and overly-broad language of the bill, “cybersecurity providers,” who would be encouraged to voluntarily divulge data, include broadband network operators, cloud services providers, and, ironically, software companies and services firms that offer cybersecurity benefits to their customers.
Congressman Jared Polis (D-CO) called CISPA “a massive government overreach, giving secret government agencies information without accountability.”
Hosting companies and data centers that support even the most rudimentary applications and include as part of their service the securing of their customers’ data, could simply choose to release information, including e-mails, financial data, proprietary business practices, and other sensitive private material.
The Internet service providers (ISPs), which transmit that data, could also elect to release it.
And the web-based companies or other institutions, which are engaged with their customers in the business transactions that rely upon this information, could similarly do so.
CISPA does not specify individual citizens as its targets, but rather is broad enough in its scope to include institutions of all kinds, from small-and-medium size businesses (SMBs) to large enterprises.
The criteria for determining to proceed with data disclosure are entirely subjective. Differing political views alone could justify providing access to information in the name of “protecting security.” A customer relationship dispute could trigger releasing data. - as long as it could be posed as some sort of “security” question. Almost any related rationale could be made into an excuse.
And if the outcome was that the disclosed data in the end posed no cybersecurity threat, there would be absolutely no repercussions to the disclosing party. Zero consequences for performing an act that would be ruinous to the customer whose confidentiality would have been violated without due process.
In addition to this unacceptable elimination of a fundamental level of security expected in customer vendor relationships, too much data is now being generated by individuals and institutions for this kind of approach even to be practical in achieving its stated goal if it were enacted.
According to the 2011 IDC Digital Universe Study, 1.8 trillion gigabytes of data were created last year; and Cisco projects that, by 2015, 1 million minutes of video will be transmitted over the Internet every second and there will be twice as many networked devices as there are people in the world.
Federal authorities can’t analyze this amount of traffic, and increasing the amount of data that they are expected to inspect and evaluate, as CISPA proposes to do, will just make matters worse.
What government reasonably can and should do is to focus much more narrowly on critical infrastructure subsets of this data, such as utility grids, internal government networks, and the financial system.
Securing those would fulfill its obligations to protect the citizenry from cyberthreats for which it should take direct responsibility. And facilitating new, distributed private sector response mechanisms, which would be much nimbler and more effective than CISPA’s centralized government program, would have far better results.
Our concern as a trade association seeking to foster the adoption of cloud computing and to encourage the innovative advancement of cloud-based services is this: CISPA, as drafted, could be the single greatest deterrent in the history of technologically-focused regulation to the usage of Internet-based solutions.
CISPA would stifle innovation in our sector generally, and impede cloud computing in particular.
If your organization is concerned in any way with the privacy of its data, why should it subject itself to storing proprietary information in a data center that is rendered totally insecure by government fiat?
And again the irony is profound here - especially if the hosting company or cloud services provider offers data protection - at any moment and without warning that vendor or other entity in the data flow chain could decide to share your sensitive data with the federal government and other parties.
This is why we oppose CISPA and urge DCINFO readers respectfully to ask that your Senators reject this measure and also request that President Obama veto it should that become necessary. Demand Progress supporters have sent more than 200,000 e-mails and 15,000 phone-calls to Congress to stop CISPA.
A more reasonable approach would be to adopt the Cybersecurity Act of 2012, a Senate alternative to CISPA, which aims more narrowly to “enhance the security and resiliency of the nation’s cyber and communications infrastructure.” This not only avoids the privacy-threatening aspects of CISPA, but also has a greater likelihood of being successfully implemented thanks to its more realistic scope. The bill is far from perfect, but with careful redrafting could be much more effective - and less harmful - than CISPA.
The most effective cybersecurity strategy will be one that is agile and decentralized, focused on sharing information about threats and attacks, and, just as important, on proven ways to defend against them - approaches that are totally foreign to CISPA. Share wisely, and take care.