CISPA: The Devil is in the Details

Monday, May 07, 2012

Michelle Valdez


First of all I want to thank everyone who took the time to read my blog last week. 

I have been writing my entire career for the government in one capacity or another so am just finding my voice and learning how to capture that in a way others may be remotely interested in reading.  I welcome any and all comments and advice along the way!

As a follow-up to the blog posted last week about what is going on with all the draft cybersecurity legislation, I wanted to put together something on the bill that seems to have everyone talking. 

I have been reading article after article about the Cyber Intelligence Sharing and Protection Act (CISPA) and the more I read, the more convoluted the facts about what this bill is and is not became. 

So, I decided to read it, word for word, and then do some analysis about what seems to have everybody digging in their heals, on both sides of the argument.


The Facts – CISPA 101

First of all, some facts about what the bill does and does not say.  Who are the main parties that are defined in this bill?  First of all is the government.  The bill gives the Director of National Intelligence the responsibility to establish the procedures for all the sharing between the intelligence community and private sector. 

Information from the private sector can be shared with any Federal Government agency but has to be shared by that agency with the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC).  The other main party is the private sector which according to this bill includes cybersecurity providers and self-protected companies.  

Next, what is being shared?  According the bill, both unclassified and, as appropriate, classified, cyber threat information can be shared by the Federal Government with industry. 

On the other hand, industry can voluntarily share information about more than just cyber threats.  Amendments included before passage in the House added additional types of cybersecurity information to include:

  • Information to be used for the investigation and prosecution of cybersecurity crimes
  • Information for the protection of individuals from the danger of death or physical injury
  • Information for the protection of minors from physical or psychological harm
  • Information for the protection of the national security of the United States

These additional additions are one of the key issues causing such controversy. There are so many splits when it comes to cybersecurity legislation.  There are definitely some common threads like I discussed in my previous blog, Procrastination in Cybersecurity Legislation

One goal is definitely to find ways to improve sharing between the public and private sector.  On the surface (and for those who have only read summaries like this and not read the actual bill), this “seems” to meet a lot of the requirements that both industry and government have identified – better information, more collaboration, ways to share without added regulation, etc.  However, as always, the devil is in the details and that is what is lacking in this bill. 

What Really Are the Issues?

There seems to be two main issues that the Senate and the House need to come to some compromise on and address in one bill that can pass both and make its way to the President and not get vetoed. 

The first is the role of the government.  I talk to cybersecurity experts from across critical infrastructure every day, and one of the things they absolutely do not want is more regulation.  Regulation will stifle information sharing and defeat the ultimate purpose of the cybersecurity legislation – sharing and collaboration.  CISPA does not mandate any sharing, and there is no “quid pro quo” required for information shared by the government to the private sector.

Another area of contention seems to be which Federal agencies can directly receive the information.  Privacy experts are especially concerned about intelligence community agencies like the National Security Agency having access to individual’s private data without any sort of legal gatekeeping instrument like a warrant being required for access. 

Some supporters of this bill have expressed their concern about the Department of Homeland Security having too much authority.  There is a section (Subsection (a)(c)(7)) that addresses how the Federal Government will protect individual information.

“Protection of Individual Information – The Federal Government may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government pursuant to this subsection.”

Um, if you can tell me what that all means, I would really appreciate someone telling me.  This is a perfect example of one of the reasons why there are concerns about this bill – its vagueness. 

The critics are looking for more specification about what the Federal Government will do to protect their personal information than this subsection provides.  Sometimes too much detail in legislation makes that legislation irrelevant. This is not one of those cases – the details are important when it comes to protecting privacy rights.

The other issue that needs to be addressed in whatever legislation is ever passed (if our legislators can ever come to an agreement about anything) is what data is shared.  The goal of any legislation for cybersecurity information sharing should be enabling the sharing of cyber threat knowledge. 

The problem that many have with CISPA involves all the other types of information that were added under one of the approved amendments.  The vagueness about what information can be shared has caused most of the concern – especially that catch all category of “to protect the national security of the United States.”

Unfortunately, our government has had some examples of abusing their authority under the auspices of protecting national security. 

Of course, a goal of any cybersecurity legislation should be to protect our nation and its most critical assets but boundaries around what that means need to be defined in order to ensure that category of sharing is not abused for the wrong reasons. The Brookings Institute recently identified a different concern about what data is shared. 

CISPA provides liability protections and because of this, they identified the concern that companies may inundate the Federal Government with too much data making, most of which having little to no actionable value.  Either way, what data is needed needs to be better defined to address the concerns of the wrong data being provided (whether of no value or having nothing to do with cybersecurity).

Until these key issues can be worked out – finding a common ground to address these key issues of roles and data – cybersecurity legislation will continue to go no where fast.  Industry will remain concerned about the protection of their data and that any new regulation will kill the gains already being seen in the information sharing arena even without such legislation. 

We cannot afford to go backwards.  It will be a few weeks before the Senate takes up this legislation and with the election coming closer and closer each day, it seems less likely we shall see any successes until this time next year when I likely will be blogging about the exact same issues.    

Possibly Related Articles:
Privacy Government Regulation Cyber Security legislation Congress National Security Information Sharing CISPA
Post Rating I Like this!
Brian Ford Great essay Michelle. I think that the concern that many have is the issue of fair harbor. You touch on this when you mention liability. What happens if a web site shares data investigating an attack and we find that the attack was against someone involved in criminal activity. Clearly law enforcement wants to arrest and seek to prosecute the criminal. Could the web site have some liability for facilitating the criminal activity? CISPA in it's current form offers some immunity. A concern is how much.
Michelle Valdez Brian, thank you so much for the comment! I agree with you about the concern of fair harbor. Any legislation passed needs to have incentives for industry to share which include addressing the issue of liability. Not only do companies want assurances that their own information won't be used against them in a law enforcement action, there are also the concerns of the protection of intellectual property and the responsibility a company has to its shareholders to do everything possible to protect their investment. If they are to share with the government and with other members of critical infrastructure, there needs to be some assurances that their information is not going to end up in the Washington Post or Wall Street Journal too. At the same time though, companies want to try to do everything possible to protect themselves, which in this environment, necessitates sharing. I think any legislation that is passed needs to account for all of these concerns in some fashion.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.