Does CISPA win the security battle but lose the privacy war?
There is a fight going on between security and privacy and it is your personal data and communications at stake. Many of you might remember hearing about SOPA, PIPA and ACTA. You might vaguely remember that on January 18th of this year websites, such as Google and Wikipedia, looked strange as the web protested these pieces of legislation. When I talk with companies and individuals they are not sure why SOPA, PIPA, and ACTA are considered "good or bad," and most are not sure what CISPA is all about. Only a handful know that it hit the news this week and that it is going to be voted on.
A quick overview is essential to understanding why you need to make sure your voice is heard. Regardless of whether or not you love the idea, you need to weigh in. It is an important part of the process to make sure we get the best chance at striking a balance between security and privacy.
SOPA stands for The Stop Online Piracy Act (SOPA) and is a U.S. bill that was introduced by U.S. Rep. Lamar S. Smith (R-TX) to help fight against counterfeit goods and stealing intellectual property. PIPA is an acronym of an acronym -- consider it the nickname for the PROTECT IP Act. The PROTECT IP stands for Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act. This is another law designed to help copyright holders to fight back against counterfeiting. It was introduced by Sen. Patrick Leahy (D-VT). The support for these bills are mixed. Companies such as Google, Wikipedia, and over 7,000 other websites either changed their site or went offline all day on January 18th to protest SOPA and PIPA. They felt the enforcement of SOPA and PIPA would be too ominous for the Internet community. Both pieces of legislation went on "hold" after the January 18th web protests.
ACTA is an international agreement. It stands for the Anti-Counterfeiting Trade Agreement and its goal was to establish international standards for copyrights and intellectual property rights. ACTA was signed in late 2011 by the U.S. and seven other countries, and the European Union signed it in January. ACTA has not been fully approved or ratified. The general public across the globe are unhappy because they feel that ACTA was negotiated in secret and most of the bill, including how it will be enforced, is not fully known. Just in the last few months, over 200 cities across Europe protested ACTA.
On the surface, the bills make sense. Doesn't everyone want to protect against counterfeit goods and fight cybercrime? The answer is yes, everyone wants the ability to fight crime. However, a lot of companies do not like that the laws are holding the website accountable when users are the ones posting content, meaning they would take the website offline if users violate copyright laws. This would make it very challenging for companies like Hulu or YouTube to manage their content, which is user-provided.
Now enters CISPA, which stands for the Cybersecurity Intelligence Sharing and Protection Act and was introduced November 2011 in the House. The bill's co-sponsors are Rep. Mike Rodgers (R-MI) and Rep. Dutch Ruppersberger (D-MD). According to Mike Rodgers' website, "H.R. 3523, the Cyber Intelligence Sharing and Protection Act, safeguards U.S. jobs by making it easier to identify and combat cyber threats, which steal over $200 billion in American intellectual property every year." The core goal of CISPA is to encourage better and more frequent information sharing. As most of those in law enforcement and the security industry will tell you, the key to fighting cybercrime is to share the details. Think of your neighborhood watch program. By learning about other crimes in the neighborhood, such as how the criminals got away with their misdeeds and other important details about the cases, you become more aware and equipped to better protect your personal residence.
CISPA creates that same element. Information sharing about cybercrimes by the victimized businesses in today's environment has been an ongoing challenge. Many businesses are reluctant to be public about being a victim. Some businesses believe it could spook their customers and cost them future business. Others think that by showing public weakness that it makes them a target for other attackers. CISPA hopes to allay these concerns by providing businesses a level of anonymity in reporting. It also has the backing of industry giants such as Microsoft, AT&T, Time Warner Cable and Facebook. The Guardian reported last week that 112 members of Congress are supporting the bill.
The bill begins with, "To provide for the sharing of certain cyber threat intelligence and cyber threat information between the intelligence community and cybersecurity entities, and for other purposes." So far so good, so where is the battle with privacy? Privacy advocates and security experts want better information sharing. The bill goes on to say, "IN GENERAL. -- The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and to encourage the sharing of such intelligence." Read further and the language gets a little vague, creating discomfort about how privacy will be protected. "CYBER THREAT INTELLIGENCE. -- The term 'cyber threat intelligence' means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from -- ''(A) efforts to degrade, disrupt, or destroy such system or network; or ''(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information."
Privacy advocates are concerned with the vagueness found in this part and other subsequent parts of the bill. It appears that in order to track down the "bad guys," all traffic might be monitored. That means the innocent would be monitored in order to track down the path of the alleged and the guilty. As organizations and individuals speak up about the monitoring and tracking, Rogers and Ruppersberger have made adjustments to the bill. It's not too late to have your voice heard. Read the bill for yourself -- it is brief compared to other bills -- and then decide your point of view. We would love to hear all opinions on this bill. You can find the bill at the House of Representatives page under: intelligence.house.gov/hr-3523-bill-and-amendments.