|
The bill, House Resolution 3523, or the Cyber Intelligence Sharing and Protection Act (CISPA) , was introduced in November by Reps. Mike Rogers (R-Mich.) andDutch Ruppersberger (D- Md.). It is currently under considerationby the full House of Representatives, but no vote has yet beencalled. The bill asks the Director of National Intelligence (currentlyretired Air Force lieutenant-general James R. Clapper) to establishprocedures for the government and the private sector to shareinformation about cyberthreats. The impetus for CISPA lies in the growing perception amonglawmakers and military personnel that America faces threats to itscritical infrastructure from foreign or terrorist computer hackers. Congressional testimony by military men warning of a "digitalPearl Harbor" may sound exaggerated , but the Stuxnet worm that crippled Iranian nuclear facilities in2010 proved that such dire scenarios have a basis in fact. Right now, the sharing of information between the government andprivate entities is restricted, in part because it is against thelaw for the government to favor one company over another. CISPA isan attempt to address that. Tell us, and you can do whatever you want Civil liberties groups aren"t opposed to the aims of thebill. Their objections are to language that would shield privateparties from any liability resulting from the sharing of cybersecurity information . In its current form, the bill says that as long as a privateentity is acting in good faith, there is no liability. The problem is that it"s hard to establish whether someonehas acted in good faith or not, said Lee Tien, senior staffattorney at the Electronic Frontier Foundation (EFF) in SanFrancisco. "There are few restrictions on that kind ofsurveillance," Tien said, referring to the constant networkmonitoring that would generate the data to be shared among agenciesand companies. "Compounding that, there is almost nothing leftof standard protection that kind of creates a balance betweenproviders and users." More to the point, Tien said, it is not clear from the bill whichgovernment agency is in charge of enforcing CISPA. Would it fallunder civilian or military intelligence? That question, Tien said,hasn't been fully resolved yet. The EFF, the American Civil Liberties Union (ACLU) and other groupslast week led a "week of action" against CISPA, urgingcitizens to contact their lawmakers via online social networks . Michelle Richardson, legislative counsel at the ACLU, said CISPA isthe worst of the various cybersecurity proposals currently underconsideration. Richardson explained that under current law, governed by theElectronic Communications Privacy Act of 1986, there are civil andcriminal penalties for releasing certain kinds of information. "What they could have said was, 'here is exception to ECPA andFISA [the Foreign Intelligence Surveillance Act of 1978]' —that would have kept the oversight," Richardson said."Instead, they said none of the privacy laws apply … There are bigger implications that most members onthe Hill don't understand." For example, the information-sharing provisions of CISPA containthe language "notwithstanding any other provision oflaw." That might apply to the Health Insurance Portability andAccountability Act of 1996, which set rules to guard the securityof private electronic health information. But only if you want to It's important to note that CISPA wouldn't require companies toshare information with the government. It would only let them doso. Dave Aitel, CEO of Miami Beach, Fla., security firm Immunity, Inc.,said CISPA is an attempt to do cybersecurity on the cheap. A reallygood program would cost infrastructure companies and the Federalgovernment money, and a spending- and tax-averse Congress is notwilling to do that. Aitel noted that a bill proposed by the Obama administration lastyear would have authorized the Department of Homeland Security totell infrastructure companies what to do to beef up their security. "That might have worked, but it was high-cost," saidAitel. It isn't clear what gains CISPA would provide, he added, though hecharacterized the overall aim — providing data to thegovernment so it can better assess cyber threats — as sound. There is a lot of talent in the private sector, Aitel noted, and ifthe government wants to see a pattern of attacks, for instance,it's likely that Symantec or Google will have a lot of usefulinformation. Some kind of protocol is necessary to disseminateinformation that could benefit everyone — but this bill isn'tquite it, Aitel said. Aitel is also concerned about the nature of the public-privateinformation sharing. He noted that the Microsoft Active ProtectionsProgram (MAPP), in which Microsoft partners with other companies toshare information about malware threats, was hit by a securitybreach last month. The breach led to the accidental release of malware code . "This [CISPA] is the same thing on a government level and hasthe same [potential] problems," Aitel said. Kyle Maxwell, a network-security specialist who writes the Overhack information-security blog , told SecurityNews Daily that provisions in CISPA offer a centralrepository for shared information (the Office of NationalIntelligence), but also offer exemptions to the Freedom ofInformation Act of 1996 and to any assumption of liability. On his blog, Maxwell pointed out that the "notwithstanding anyother provision of law" phrase doesn't automatically give private entities immunity from all other laws, and courts don't usually interpret it thatway. Maxwell also noted that there are two other bills pending inCongress that attempt to address cybersecurity. The Cybersecurity Act of 2012 was floated in February by Sens. Joe Lieberman (R-Conn.) and SusanCollins (R-Maine). The Secure IT Act was introduced in March by Sen. John McCain (R-Ariz.) and later inthe month introduced in the House by Rep. Mary Bono Mack (R-Calif.). Both bills, like CISPA, govern information-sharing between theprivate sector and government, but have tighter definitions of thekinds of intelligence that would be shared. There would be more support for CISPA, Maxwell said, if that billhad similarly specific definitions and restrictions. Aitel said there are good ideas in CISPA. For example, it providesaccess to the talent in the private sector that government agenciesdon't always have. Powerful enemies However, CISPA is running into serious opposition. The White Houseon Wednesday (April 25) sent a strongly worded letter to the House stating that President Obama would veto CISPA in its current form. "The sharing of information must be conducted in a manner thatpreserves Americans' privacy, data confidentiality, and civilliberties and recognizes the civilian nature of cyberspace.Cybersecurity and privacy are not mutually exclusive," theletter said. "Citizens have a right to know that corporations will be heldlegally accountable for failing to safeguard personal informationadequately," it said. "H.R. 3523 effectively treatsdomestic cybersecurity as an intelligence activity and thus,significantly departs from longstanding efforts to treat theInternet and cyberspace as civilian spheres." Rep. Rogers, CISPA's primary sponsor, was calm about the WhiteHouse letter. "This is just, I think, them kicking up some dust,"Rogers told the House Rules Committee Wednesday as it consideredamendments to modify CISPA, according to Politico. "We think we can answer questions to get it to a place wherethe president will sign it." Earlier this week, 18 House Democrats sent a letter to Rogers andhis co-sponsor Ruppersberger asking them to address their"real and serious" privacy concerns about CISPA, according to Computerworld . "Without specific limitations, CISPA would for the first time,grant non-civilian federal agencies, such as the National SecurityAgency, unfettered access to information about Americans' Internetactivities and allow those agencies to use that information forvirtually any purpose," the congressmen's letter noted. The EFF, the ACLU and the Center for Democracy and Technology haveall said the bill doesn't offer enough transparency about theinformation shared, or remedies for people concerned about theirdata. Silicon Valley switches sides Unlike the massive and successful pushback that took place againstthe Stop Online Piracy Act (SOPA) a few months ago, CISPA hasfailed to garner much opposition in Silicon Valley. Some major technology corporations that opposed SOPA, such asFacebook and Microsoft, are behind the bill. ( Google has admitted lobbying on CISPA but hasn"t disclosed its position.) Facebook is clear about its support of CISPA, though the company'svice president of public policy, Joel Kaplan, wrote a message to users clarifying the company's stance on privacy in the wake of userssaying they were worried about the bill. Rep. Darrell Issa (R-Calif.), who led the opposition in the Houseagainst SOPA, has added his name as a co-sponsor to CISPA. Even if CISPA turns out to be a good idea, it might be hard to getpublic support. "People don't trust this Congress," Aitel said. Richardson said dealing with cybersecurity vulnerabilities isn'thampered by privacy or liability issues, as demonstrated by thecoordinated responses to past threats such as the Conficker worm. "It's an organizational issue," she said. This story was provided by SecurityNewsDaily , a sister site to TechNewsDaily. The e-commerce company in China offers quality products such as Clad Metal Sheet Manufacturer , Titanium Metal Plate Manufacturer, and more. For more , please visit Welding Titanium Pipe today!
Related Articles -
Clad Metal Sheet Manufacturer, Titanium Metal Plate Manufacturer,
|
