CISPA: liability protection for companies under cyber attacks

Despite recent repeated threats from North Korea about engulfing Washington, D.C., in a sea of fire and targeting nukes at everyone’s favorite SXSW host city, the U.S. has more to fear from hackers launching cyber attacks from laptops than Kim Jong-un’s purported arsenal of Death-to-America weaponry. But recently introduced federal legislation hoping to improve information collection is being billed by opponents as an overreach — which is concerning because the need for a clear cyber strategy is growing.

Consider some recent high-profile cyber attacks:

Cyber attacks on oil pipelines have increased 52 percent over the last year, according to a Department of Homeland Security report published in December 2012.
Hackers have breached the security systems of the New York Times, the Wall Street Journal, Evernote, Twitter and several other companies since 2013 began.
A report from Virginia-based cyber firm Mandiant traced more than 115 cyber attacks launched against the U.S. back to a single unit within the Chinese army.
More than 140 cyber attacks have been hurled at Wall Street over the previous six months, said General Keith Alexander, head of U.S. Cyber Command, which is headquartered at Fort Meade in Maryland.
In March, the Director of National Intelligence issued a report saying that cyber attacks are the top security threat to the U.S.

The 2013 National Intelligence Estimate now tells us the U.S. is the target of a “sustained, cyber-espionage campaign.” And when BuzzFeed takes a break from “[Insert Arbitrary Number Here] Awesome Cat GIFs” to make mention that our nation’s “cybersecurity reckoning” is now upon us, things just got real.

From Mandiant's report, the targets of cybersecurity attacks from the Chinese army. — From Mandiant’s report, the targets of cybersecurity attacks from the Chinese army.

From this collective furor over America’s cyber unpreparedness emerges the Cyber Intelligence Security and Intelligence Act. More commonly known as CISPA, it was reintroduced in the House of Representatives in February principally because the act’s sponsors—Congressmen Mike Rogers, from Michigan, and Dutch Ruppersberger from Maryland’s 2^nd District—believe it’s a critical measure to enhance the government’s ability to repel cyber breaches. The act calls for better information sharing between private companies and the federal government about cyber threats and attacks, and is up for a vote in the House Intelligence Committee this week.
Maryland, with its broad cybersecurity industry of more than 19,000 employees, might stand to benefit from such a measure that looks to bridge an information gap between private cybersecurity firms and federal-level agencies. That’s in addition to cyber infrastructure: by 2016, federal spending on cyber is expected to eclipse $14 billion, and U.S. Cyber Command and the headquarters of the National Security Agency are both inside Congressman Ruppersberger’s district.
As Technically Baltimore reported Monday, privacy groups, however, have advocated strongly against this bill, maintaining that information sharing could make Internet users’ personally identifiable information fair game for egregious governmental overreach.
Think of it this way: suppose a private company hands over to the government personal information gathered off a hacker’s computer, only to discover that person isn’t a hacker?
“What the bill does is encourage companies to actively monitor information by giving them immunity to monitor and hand over the information to the government,” said Mark M. Jaycox, policy analyst with the Electronic Frontier Foundation, no friend to CISPA.
But to effectively battle cyber attacks, companies—and the government—need actionable information, and that requires some sharing about from where attacks are launched.

To help the U.S. government slow or stop cyber attacks, companies “have to invite them into [their] network,” said Ron Gula, CEO of Tenable Network Security in Columbia. “I think a lot of corporations don’t realize that if they lose this [cyber] fight figuratively, they’re going to have the government on their networks helping them to defend themselves.”
In fact, since 1997, the National Security Agency has had “the authority to develop cyber attack network techniques,” according to declassified documents reported on by The Week in March.
What CISPA does, supporters charge, is merely provide private companies with liability protection so they can share cyber attack information with the government without fear of being sued. As Maryland Congressman Dutch Ruppersberger said at House Intelligence Committee hearings in February, that’s one of the foremost reasons why CISPA needs to become law.

Of course, the NSA knew of the importance of liability protection: as The Week reports, “NSA also surmised [in 1997] that its own perception as ‘the bad guy,’ along with legislation limited what it can do vis-à-vis computers that don’t belong to the government, would make it harder to become a cyber mission force.”
Access to computers “that don’t belong to the government” has been the sticking point for privacy groups arguing there’s inadequate protection within the bill for ensuring the safety of people’s personally identifiable information.

A lot of people who are worried about privacy are right to be concerned about privacy.

“Nothing’s changed,” said Paul Kurtz, chief strategy officer for Inner Harbor cybersecurity firm CyberPoint. “[CISPA’s] just been reintroduced and there’s been no substantive changes … about privacy-related provisions the act.”
Kurtz has spent significant time on Capitol Hill working on policy issues around cybersecurity, including a stint in the George W. Bush administration as senior director for critical infrastructure protection on the White House’s Homeland Security Council.
“When you get into the definitions about threat information, it’s very, very hard to legislate that on Capitol Hill,” he said. In its current form, Kurtz said, CISPA “doesn’t adequately protect personal information.”
Assuming it’s the destiny of CISPA to become law, what’s the way forward?

For one, amendments more clearly defining terms in the bill—like those introduced the last time the House took up CISPA in 2012—should be added.
Clear revisions to the draft legislation that make personally identifiable information off limits is another step. As Kurtz told Technically Baltimore, PII is “just not necessary.”

Then again, as Tenable CEO Gula acknowledged, “I don’t think people realize how much data is really shared with the government already.” Or, for that matter, how much data private companies like Google collect on people anyway.
“A lot of people who are worried about privacy are right to be concerned about privacy,” Gula said. “But they just assume that a bill like [CISPA] gets passed, [and] the federal government is going to be reading their e-mail. I hear stuff like that, and that’s not the case.”
This is part two of a Technically Baltimore series on CISPA.

Read part three, on President Barack Obama’s Executive Order issued in February expanding the Enhanced Cybersecurity Services program, and why Tenable Network Security CEO Ron Gula supported the EO.

CISPA: liability protection for companies under cyber attacks

more news

Will AI eliminate work? Johns Hopkins debate attendees overwhelmingly say no

Everyone wants AI agents. Here’s the gap holding businesses back from deployment.

Ascender CEO Nadyli Nuñez to depart as nonprofit plans national search for successor

Meet the coordinator behind DC Public Library’s AI literacy push

How agtech startups like Guardian Aerial are reshaping Louisiana farming

This Philly-area vaccine maker wants to license data for AI learning