Civil libertarians are loudly protesting Congress's
renewed deliberations of the Cyber Intelligence Sharing and Protection Act (CISPA). The bill is intended to facilitate sharing cyberthreat information between government and the private sector to protect the nation from cyberattack.
You'd think there's not much to object to there. But the protests are against corporate immunities to prosecution under privacy and freedom-of-information legislation. CISPA opponents see the immunities as dangerous, but the government thinks they're necessary for companies providing information under the bill.
Ignore the noise, not because it is not important, but because it masks a basic flaw: CISPA doesn't do anything.
In fact, it offers so little, other than bureaucratic confusion, that it may well be counterproductive and damaging to both the industry and national security.
The raison d'Ítre for the bill is that the National Security Act of 1947 does not mention cybersecurity. The House Intelligence Committee wants to correct this by adding CISPA as an amendment. The bill provides for the two-way sharing of cyberthreat information between the intelligence community and security-cleared companies and utilities. But it does not compel sharing. Nor does it say who owns the information shared, how it is to be used and managed, or what benefits are expected and to whom.
All it does is compel the Director of National Intelligence (DNI) to "establish procedures" to "allow" and "encourage" information sharing. The DNI has only 60 days from enactment to "establish procedures" and "issue guidelines," which he or she is instructed to "expeditiously distribute" to "appropriate" bodies.
The bill, however, does not mention implementing, mandating, incentivizing, or enforcing procedures. In fact, the bill specifically states that there will be no liability for non-participation. It assumes that companies will join automatically. Incentives? Only immunity from prosecution for anything done in "good faith."
The Hill.com quotes Michael Allen, a Committee staffer: "We are trying to write a bill flexible enough that will work. We understand we have to build the confidence of others so that companies will want to participate in it."
But there is a big difference between being flexible and being flabby.
There is also an assumption that companies and the government will use existing information sharing schemes another Committee staffer, Heather Molino, said, "We don't want to be spending money when we can just be coordinating information [sharing] across different government agencies. We don't want to make duplicative efforts." But allowing companies to choose which agency to share their information with, as the bill does, will reinforce division and duplication.
Giving people a return on investment is helpful in getting people to share assets. The government is asking each company to ante up a piece of an information jigsaw. In return, everybody, including government agencies, should get sight of the (same) big picture. If companies can share with a single agency, and agencies are not compelled to share with each other, where is the big picture?
Putting together the pieces, and avoiding duplicative efforts, requires oversight. The DNI is the obvious candidate, but he doesn't have to do it on his own. To get commitment, offer ownership. Have the oversight managed by a panel of representatives from the full range of participants, chaired by the DNI.
Apart from overseeing the process and monitoring the quality of the output, a panel would offer feedback from the participants, the ability to set standards and generally maximize economies of scale, and minimize duplication of effort.
Would it not make sense to work out what needs to be done and the best way to do it, and then work out what legislation is needed? Is information sharing between government and the private sector actually illegal? If not, why do you need CISPA to "allow" it?
A revision of President Obama's Executive Order of February 12 on improving critical infrastructure cybersecurity might well do the trick. But CISPA can only delay risk failure in getting to grips with this monumental 21st-century headache. And it also demonstrates, again, how inadequate and out of step our legislative concepts and procedures are in an Internet-dominated world.
10 Tips to Improve Mobile Security
You Can Bet On Problems for US Online Gambling
The Internet Defense League: Foiling Villains