Header graphic for print
Steptoe Cyberblog

Why we need to fix CISPA, not kill it

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

I joined security guru Dan Kaminsky earlier this year to fight SOPA because it was bad for cybersecurity. For the same reason we joined in a Politico op-ed today to rebut attacks on CISPA, the Cyber Intelligence Sharing and Protection Act:

We may have thrown some of the first stones, but SOPA was ultimately buried by an avalanche of criticism. Tumblr, Reddit and Wikipedia, among others, even protested by taking their sites down for a day. The effect was not subtle. SOPA is dead.

They say victory has a hundred fathers. It also has a hundred would-be sons — and “son of SOPA” campaigns have proliferated. In Europe, for example, SOPA’s defeat inspired a surprisingly successful effort to block the Anti-Counterfeiting Trade Agreement.

Here in the United States, though, the debate has taken an odd turn. After stopping a bill that would have undermined cybersecurity, some Internet activists are now targeting bills that could actually make the Internet safer. They’re charging that bills like the Cyber Intelligence Sharing and Protection Act represent stealth attempts to resurrect SOPA under the guise of promoting cybersecurity….

There are ways to address this concern, but we must remember the bigger privacy and civil liberties threat: the Internet’s insecurity….

Without security, no network offers privacy. A hacked database offers no protection.

Part of the solution is to get better at sharing information. That means sharing attack signatures at light speed so as soon as a new attack vector is identified by one company, it can be blocked by others. Government needs to be part of that system — it has a lot to defend and it’s pretty good at identifying signatures.

But under current law, once the government shows up to receive information, private-sector participation slows from the speed of light to the speed of lawyers. Current law lets companies share information with the government without a court order only to protect their own networks against malware, but not to protect others….

In short, we need to fix CISPA, not fight it. We can all agree that if Facebook reports that a link has been used to propagate malware, the government should expend its resources to warn users and foil the attack, not issue notices of potential copyright violations about the link.

Remarkably, the House Intelligence Committee has proposed additional amendments that would accomplish precisely this goal.