Civic News
Computer science / Cybersecurity / Policies / Politics / Privacy

CISPA: liability protection for companies under cyber attacks

Supporters of CISPA, federal cybersecurity information-sharing legislation, argue that all the bill does is provide companies legal protection in order to share cyber threat information with the government. But with a string of high-profile information attacks, the consensus is a new strategy is needed.

This is part two of a Technically Baltimore series on CISPA. Click here to read part one, about the privacy concerns surrounding cyber threat information sharing between private companies and the federal government.
Despite recent repeated threats from North Korea about engulfing Washington, D.C., in a sea of fire and targeting nukes at everyone’s favorite SXSW host city, the U.S. has more to fear from hackers launching cyber attacks from laptops than Kim Jong-un’s purported arsenal of Death-to-America weaponry. But recently introduced federal legislation hoping to improve information collection is being billed by opponents as an overreach — which is concerning because the need for a clear cyber strategy is growing.

Consider some recent high-profile cyber attacks:

The 2013 National Intelligence Estimate now tells us the U.S. is the target of a “sustained, cyber-espionage campaign.” And when BuzzFeed takes a break from “[Insert Arbitrary Number Here] Awesome Cat GIFs” to make mention that our nation’s “cybersecurity reckoning” is now upon us, things just got real.

From Mandiant's report, the targets of cybersecurity attacks from the Chinese army.

From Mandiant’s report, the targets of cybersecurity attacks from the Chinese army.


From this collective furor over America’s cyber unpreparedness emerges the Cyber Intelligence Security and Intelligence Act. More commonly known as CISPA, it was reintroduced in the House of Representatives in February principally because the act’s sponsors—Congressmen Mike Rogers, from Michigan, and Dutch Ruppersberger from Maryland’s 2nd District—believe it’s a critical measure to enhance the government’s ability to repel cyber breaches. The act calls for better information sharing between private companies and the federal government about cyber threats and attacks, and is up for a vote in the House Intelligence Committee this week.
Maryland, with its broad cybersecurity industry of more than 19,000 employees, might stand to benefit from such a measure that looks to bridge an information gap between private cybersecurity firms and federal-level agencies. That’s in addition to cyber infrastructure: by 2016, federal spending on cyber is expected to eclipse $14 billion, and U.S. Cyber Command and the headquarters of the National Security Agency are both inside Congressman Ruppersberger’s district.
As Technically Baltimore reported Monday, privacy groups, however, have advocated strongly against this bill, maintaining that information sharing could make Internet users’ personally identifiable information fair game for egregious governmental overreach.
Think of it this way: suppose a private company hands over to the government personal information gathered off a hacker’s computer, only to discover that person isn’t a hacker?
“What the bill does is encourage companies to actively monitor information by giving them immunity to monitor and hand over the information to the government,” said Mark M. Jaycox, policy analyst with the Electronic Frontier Foundation, no friend to CISPA.
But to effectively battle cyber attacks, companies—and the government—need actionable information, and that requires some sharing about from where attacks are launched.

  • To help the U.S. government slow or stop cyber attacks, companies “have to invite them into [their] network,” said Ron Gula, CEO of Tenable Network Security in Columbia. “I think a lot of corporations don’t realize that if they lose this [cyber] fight figuratively, they’re going to have the government on their networks helping them to defend themselves.”
  • In fact, since 1997, the National Security Agency has had “the authority to develop cyber attack network techniques,” according to declassified documents reported on by The Week in March.
  • What CISPA does, supporters charge, is merely provide private companies with liability protection so they can share cyber attack information with the government without fear of being sued. As Maryland Congressman Dutch Ruppersberger said at House Intelligence Committee hearings in February, that’s one of the foremost reasons why CISPA needs to become law.

Of course, the NSA knew of the importance of liability protection: as The Week reports, “NSA also surmised [in 1997] that its own perception as ‘the bad guy,’ along with legislation limited what it can do vis-à-vis computers that don’t belong to the government, would make it harder to become a cyber mission force.”
Access to computers “that don’t belong to the government” has been the sticking point for privacy groups arguing there’s inadequate protection within the bill for ensuring the safety of people’s personally identifiable information.

A lot of people who are worried about privacy are right to be concerned about privacy.

“Nothing’s changed,” said Paul Kurtz, chief strategy officer for Inner Harbor cybersecurity firm CyberPoint. “[CISPA’s] just been reintroduced and there’s been no substantive changes … about privacy-related provisions the act.”
Kurtz has spent significant time on Capitol Hill working on policy issues around cybersecurity, including a stint in the George W. Bush administration as senior director for critical infrastructure protection on the White House’s Homeland Security Council.
“When you get into the definitions about threat information, it’s very, very hard to legislate that on Capitol Hill,” he said. In its current form, Kurtz said, CISPA “doesn’t adequately protect personal information.”
Assuming it’s the destiny of CISPA to become law, what’s the way forward?

  • For one, amendments more clearly defining terms in the bill—like those introduced the last time the House took up CISPA in 2012—should be added.
  • Clear revisions to the draft legislation that make personally identifiable information off limits is another step. As Kurtz told Technically Baltimore, PII is “just not necessary.”

Then again, as Tenable CEO Gula acknowledged, “I don’t think people realize how much data is really shared with the government already.” Or, for that matter, how much data private companies like Google collect on people anyway.
“A lot of people who are worried about privacy are right to be concerned about privacy,” Gula said. “But they just assume that a bill like [CISPA] gets passed, [and] the federal government is going to be reading their e-mail. I hear stuff like that, and that’s not the case.”
This is part two of a Technically Baltimore series on CISPA.

Companies: CyberPoint International / Tenable Holdings / Congress / U.S. Government
Engagement

Join the conversation!

Find news, events, jobs and people who share your interests on Technical.ly's open community Slack

Trending

How venture capital is changing, and why it matters

What company leaders need to know about the CTA and required reporting

Why the DOJ chose New Jersey for the Apple antitrust lawsuit

A veteran ship's officer describes how captains work with harbor pilots to avoid deadly collisions

Technically Media