CISPA: liability protection for companies under cyber attacks - Baltimore


Apr. 10, 2013 12:16 pm

CISPA: liability protection for companies under cyber attacks

Supporters of CISPA, federal cybersecurity information-sharing legislation, argue that all the bill does is provide companies legal protection in order to share cyber threat information with the government. But with a string of high-profile information attacks, the consensus is a new strategy is needed.
This is part two of a Technically Baltimore series on CISPA. Click here to read part one, about the privacy concerns surrounding cyber threat information sharing between private companies and the federal government.
Despite recent repeated threats from North Korea about engulfing Washington, D.C., in a sea of fire and targeting nukes at everyone’s favorite SXSW host city, the U.S. has more to fear from hackers launching cyber attacks from laptops than Kim Jong-un’s purported arsenal of Death-to-America weaponry. But recently introduced federal legislation hoping to improve information collection is being billed by opponents as an overreach — which is concerning because the need for a clear cyber strategy is growing.

Consider some recent high-profile cyber attacks:

The 2013 National Intelligence Estimate now tells us the U.S. is the target of a “sustained, cyber-espionage campaign.” And when BuzzFeed takes a break from “[Insert Arbitrary Number Here] Awesome Cat GIFs” to make mention that our nation’s “cybersecurity reckoning” is now upon us, things just got real.


From Mandiant's report, the targets of cybersecurity attacks from the Chinese army.

From Mandiant’s report, the targets of cybersecurity attacks from the Chinese army.

From this collective furor over America’s cyber unpreparedness emerges the Cyber Intelligence Security and Intelligence Act. More commonly known as CISPA, it was reintroduced in the House of Representatives in February principally because the act’s sponsors—Congressmen Mike Rogers, from Michigan, and Dutch Ruppersberger from Maryland’s 2nd District—believe it’s a critical measure to enhance the government’s ability to repel cyber breaches. The act calls for better information sharing between private companies and the federal government about cyber threats and attacks, and is up for a vote in the House Intelligence Committee this week.

Maryland, with its broad cybersecurity industry of more than 19,000 employees, might stand to benefit from such a measure that looks to bridge an information gap between private cybersecurity firms and federal-level agencies. That’s in addition to cyber infrastructure: by 2016, federal spending on cyber is expected to eclipse $14 billion, and U.S. Cyber Command and the headquarters of the National Security Agency are both inside Congressman Ruppersberger’s district.

As Technically Baltimore reported Monday, privacy groups, however, have advocated strongly against this bill, maintaining that information sharing could make Internet users’ personally identifiable information fair game for egregious governmental overreach.

Think of it this way: suppose a private company hands over to the government personal information gathered off a hacker’s computer, only to discover that person isn’t a hacker?

“What the bill does is encourage companies to actively monitor information by giving them immunity to monitor and hand over the information to the government,” said Mark M. Jaycox, policy analyst with the Electronic Frontier Foundation, no friend to CISPA.

But to effectively battle cyber attacks, companies—and the government—need actionable information, and that requires some sharing about from where attacks are launched.

  • To help the U.S. government slow or stop cyber attacks, companies “have to invite them into [their] network,” said Ron Gula, CEO of Tenable Network Security in Columbia. “I think a lot of corporations don’t realize that if they lose this [cyber] fight figuratively, they’re going to have the government on their networks helping them to defend themselves.”
  • In fact, since 1997, the National Security Agency has had “the authority to develop cyber attack network techniques,” according to declassified documents reported on by The Week in March.
  • What CISPA does, supporters charge, is merely provide private companies with liability protection so they can share cyber attack information with the government without fear of being sued. As Maryland Congressman Dutch Ruppersberger said at House Intelligence Committee hearings in February, that’s one of the foremost reasons why CISPA needs to become law.

Of course, the NSA knew of the importance of liability protection: as The Week reports, “NSA also surmised [in 1997] that its own perception as ‘the bad guy,’ along with legislation limited what it can do vis-à-vis computers that don’t belong to the government, would make it harder to become a cyber mission force.”

Access to computers “that don’t belong to the government” has been the sticking point for privacy groups arguing there’s inadequate protection within the bill for ensuring the safety of people’s personally identifiable information.

"A lot of people who are worried about privacy are right to be concerned about privacy."
Ron Gula, CEO of Columbia-based Tenable Network Security

“Nothing’s changed,” said Paul Kurtz, chief strategy officer for Inner Harbor cybersecurity firm CyberPoint. “[CISPA’s] just been reintroduced and there’s been no substantive changes … about privacy-related provisions the act.”

Kurtz has spent significant time on Capitol Hill working on policy issues around cybersecurity, including a stint in the George W. Bush administration as senior director for critical infrastructure protection on the White House’s Homeland Security Council.

“When you get into the definitions about threat information, it’s very, very hard to legislate that on Capitol Hill,” he said. In its current form, Kurtz said, CISPA “doesn’t adequately protect personal information.”

Assuming it’s the destiny of CISPA to become law, what’s the way forward?

Then again, as Tenable CEO Gula acknowledged, “I don’t think people realize how much data is really shared with the government already.” Or, for that matter, how much data private companies like Google collect on people anyway.

“A lot of people who are worried about privacy are right to be concerned about privacy,” Gula said. “But they just assume that a bill like [CISPA] gets passed, [and] the federal government is going to be reading their e-mail. I hear stuff like that, and that’s not the case.”

This is part two of a Technically Baltimore series on CISPA.


Already a contributor? Sign in here
Connect with companies from the community
New call-to-action


Sign-up for daily news updates from Baltimore