The goal of CISPA, the Cyber Intelligence Sharing and Protection Act – the latest cybersecurity legislation pending in the House of Representatives – seemed so simple in the beginning: From time to time, security companies need to provide information about possible threats to government authorities so they can take action. When you write that idea down on a napkin, it makes sense. When you base legislation on what you wrote on the napkin, it becomes the next target of the Internet rights lobby.
The problem is that we live in an era when almost any system that can be exploited will be. The Internet is one example. The law is another.
You can’t disagree with what the napkin version of CISPA implies: Government alone cannot provide information security. When it’s put that way, everyone could get behind it. There are plenty of political ideas that, when presented as cleansed, bleached and distilled bullet points, immediately garner broad public support. The challenge lies with implementing these bullet points in a system that can’t be exploited. If SOPA taught us anything, it’s that anyone can exploit a system.
First, Shut Down Everything
The problem with CISPA’s original draft is that it would establish policies in a way that invites exploits. Any network admin will tell you that the best network access policies are implemented as restrictions with exceptions. You turn off all access, and then you create a whitelist of specific identities or functions that may bypass that roadblock. And then you establish a comprehensive audit trail around that bypass.
Yesterday evening in The Atlantic, Alexander Furnas made the point that CISPA is bad policy, at least insofar as it was originally crafted. He’s right in ways he didn’t get around to enumerating. While the basic principles of its author, House Intelligence Committee Chairman Mike Rogers, R-Mich., may be laudable, CISPA wasn’t built for the Information Age. Specifically, it sets up a channel for security agencies and security companies to talk about stuff that may (a very interesting word in this context) apply to cybersecurity.
This sharing of cybersecurity-related information between private and public agencies may entail the disclosure of personally identifiable data, or information that can be combined with such data to reveal other hidden characteristics (using what software vendors refer to as analytics).
Yes, there needs to be a way to accept that this sort of issue will crop up when information is being shared, and to excuse it so that every security issue doesn’t end up being resolved (or not) in a courtroom.
No, No, No “Notwithstanding”
But it is no longer good policy to simply legislate that certain information that may fall within a certain context may be shared; that anything that violates privacy may be excused; and that, worst of all, any law that says such violations may not happen may be overlooked.
That’s the danger of the clause that, even after Rogers’ first set of amendments last week (PDF here), remains in play – the one that begins, “Notwithstanding any other provision of law.” But many of the advocacy groups that seized on this clause did so in such melodramatic and apocalyptic terms as to invite reasonable people to defend it.
Yet there really is a problem with a policy that says, “Ignore everything else and treat this as paramount.” That’s not the type of exception that good information systems policy requires – the kind that creates a limited way around a blanket restriction. Instead, it is a weakening of links in the legal chain, and any weak link is likely to be exploited.
One fear is that such an exploit will come from rights holders who argue that compromising the security of a network in order to commit copyright violation is a threat to the nation’s economy and thus, by extension, to national security.
When you distill an idea to its basic bullet points, it’s harder to disagree with it. That’s why TV political ads are 30 seconds long instead of 30 minutes.
In reality, though, the theft of intellectual property is a legal matter, and should not be treated as a “cyber threat.” So the second set of Rogers bill amendments is quite welcome. They help define terms and refine the context of the discussion.
For example, the revised Definitions Amendment (PDF here) redefines “cyber threat information” using phrases such as: “information directly pertaining to… a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity, or any information stored on, processed on, or transiting such a system or network.” Granularity is good.
A CISPA Whitelist
Now for the next step: a new set of recommended CISPA amendments. Rephrase the new policy the way a good admin would: as a prohibition against the distribution, without court order or lawful mandate, between private entities and government security services, of any information that may be used to identify or characterize a U.S. citizen. Start with a blank slate.
From there, use the classifications in the latest Definitions Amendment as exceptions. Stipulate that these are the circumstances in which exceptions must be made to protect vital national security interests.
Then, establish an audit trail. State that all transactions must be registered, and the log of those registries may be obtained by public request, pending the approval of a judge.
The danger is that this ideal may be boiled down to its bullet points to garner opposition:
- Government must not be open.
- The free flow of information is dead.
- People don’t have the right to know what’s being shared about them without a judge’s approval.
With the master’s touch of a political activist, almost any beneficial idea may be spun to sound fascist.
My 30-second rebuttal: We do need something like CISPA, but the privacy of American citizens and the national security of the United States are too important to be left to intentionally vague regulations and legislation. That’s the wrong kind of openness. With each set of CISPA amendments, however, a viable solution is coming closer.
Scott M. Fulton, III is the author of this document and is solely responsible for his content. He will appear live on NTN24 (DIRECTV 418) Friday, April 27, at 12:30 EST/9:30 PST to talk CISPA with Monica Fonseca.
Stock images by Shutterstock.