April 14, 2012

CISPA, Cybersecurity, and the Devil in the Dark

The threat of "cyberattacks" is real enough. But associated risks have in many cases been vastly overblown, and not by accident of chance.

The "cybersecurity" industry has become an increasingly bloated "money machine" for firms wishing to cash in on cyber fears of every stripe, from realistic to ridiculous. And even more alarmingly, it has become an excuse for potential government intrusions into Internet operations on a scope never before imagined.

There are warning signs galore. While we can all agree that SCADA systems that operate industrial control and other infrastructure environments are in need of serious security upgrades -- most really never should have been connected to the public Internet in the first place -- "war game" scenarios now being promulgated to garner political support (and the really big bucks!) for "cyber protection" have become de rigueur for agencies and others hell bent for a ride on the cybersecurity gravy train.

Phony demos purporting to illustrate mass cyber attacks are more akin to Fantasyland than reality, and the turf war between the Department of Homeland Security (DHS) and intelligence agencies such as CIA and NSA in this sphere should give all of us cause for significant concern.

The Cyber Intelligence Sharing and Protection Act (CISPA - H.R. 3523) has become the embodiment of hopes for those entities who hope to turn overblown fears of cyber attacks into a pipeline for potentially massive access by government into the private data of Internet users.

Sponsors of the legislation tout its relative shortness and generality, but those are precisely among the aspects that make this legislation so problematic.

CISPA effectively overrides virtually all existing laws related to Internet privacy protections. And since CISPA offers firms access to government cybersecurity "threat data" in exchange for ostensibly voluntary feeding of data back from those firms to the government, and provides for broad protective immunity for companies that choose to do so, a pantheon of tech heavyweights have lined up in support.

Just a few of the firms who have to various extents professed direct support of CISPA include Facebook, Symantec, Verizon, IBM, Intel, Microsoft, and Oracle. There are many others.

Notably absent from this list is Google, who has not taken a formal position on the existing CISPA legislation and apparently is unlikely to do so.

Google's current approach to CISPA seems particularly prescient.

While it would be absolutely incorrect to attribute bad motives to the firms supporting CISPA, the legislation itself is in my view so vague and general that it represents largely an "empty vessel" capable of enormous potential damage if deployed and then subjected to the inevitable stream of court interpretations.

CISPA claims to ban using data collected under its authority for other than cyber threat activities. But we've seen such data compartmentalization bans fall many times before in other data collection contexts.

Since the legislation creates such a broad override of existing privacy protections, and such encompassing immunities for firms that provide associated data to the government, the lack of specificity in so many aspects of CISPA creates what could be the opportunity for a "perfect storm" of abuses down the line.

There are indeed genuine risks of serious attacks on the Internet and connected infrastructural systems. But in the fog of the military-industrial complex's rapid push into this area, it has become obvious that realistic assessments are being shoved aside in favor of scare tactics, agency power struggles, and "get rich quick" scheming.

This entire area has become a quintessential example of sowing F.U.D. -- Fear, Uncertainly, Doubt -- while legitimate questions of privacy and individual rights are purposefully being marginalized.

We saw much the same thing happen after 9/11, with the knee-jerk rush to pass the PATRIOT Act and Homeland Security Act, with a range of profiteering and abuses against individual liberties that then resulted -- even leading the U.S. down the evil path of torture.

We must avoid a repeat of this madness.

Information sharing can be a crucial element of cybersecurity, but for legislation addressing this area, the devil is very much in the details, and the lack of details in CISPA is an invitation to possible privacy disasters.

To the extent that cybersecurity threats do exist, the desire to quell them must not be permitted to run slipshod over our personal privacy, liberties, and associated protections in existing laws.

We can work together to help protect ourselves from actual cyber threats, without allowing ourselves to become cyber schnooks in the process.

--Lauren--

Posted by Lauren at April 14, 2012 12:01 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein