To CISPA Or Not To CISPA

Think about this.

Suppose that Craigslist, the ACLU, Reddit and the Electronic Frontier Foundation were all against a law because they all believed it would violate our privacy rights as computer users.

Would that make you think twice about your own computer privacy expectations vis-à-vis this law?

If you’re like me it should give you pause but if you read through all of their arguments, it should give you greater pause. These stalwart advocates of digital and real-world privacy rights- rights that I very much value- present discussions that betray a naiveté of the actual threat landscape. This is about balance between being safe and being hurt. Rights advocates are not doing enough to educate themselves about the actual threats. They see a bill making its way through Senate and decry foul and spread fear.


Anti-CISPA banner ad

Whither CISPA

CISPA, CyberSecurity Information Sharing Protection Act, the latest Anti-CyberCrime bill to wind its way through Congress, has been a challenge. The information sharing steps CISPA proposes are strongly supported by Intel, Verizon, Microsoft and a host of other businesses, as well as the U.S. Chamber of Commerce (which was itself the victim of an audacious cyber attack). Big Business believes that the steps outlined by the House version of CISPA are both vitally important and manageable and I’ve been a strong and vocal advocate for just such measures.

But the Obama administration has threatened to veto the current version of CISPA, proposed by Congressmen Ruppersberger (D-MD) and Rogers (R-MI), which passed the House a year ago.

The Senate has yet to pass its version of CISPA, but the Administration already calls the version passed by House Republicans unacceptable because it rolls back "important provisions of electronic surveillance law without instituting corresponding privacy, confidentiality and civil liberties safeguards".

Whoa! Sounds pretty bad, right? Well, the criticism from privacy advocates and pushback from privacy groups against CISPA has been pronounced, to say the least.

I think the concerns of the Obama Administration and anti-CISPA groups are overly alarmist. I feel the Senate version of CISPA thoroughly addresses the need for civil liberties protections so that Big Brother isn’t breathing down everyone’s necks, yet it still gives Uncle Sam and Big Business the ability to work together to protect us all from the CyberAttacks that threaten our shared private/public digital infrastructure.

“Don’t Hate CISPA

I am a strong supporter of CISPA and I agree with Chris Finan who recently wrote in Wired, “Don’t Hate CISPA, Fix It”, that the right thing to do is to fix CISPA instead of outright obliterating it. Agreed. And furthermore, I think the way to fix CISPA is by bringing a practitioner’s perspective to the problem, or rather, the problems (plural) of CyberSecurity.

There is no question we have a significant array of challenges when it comes to CyberSecurity.
I’m not going to belabor this post with a litany of the advanced attacks that have occurred against companies, non-profit organizations and governments in just the last 8 years alone.

In all likelihood, if you’re here, you already know all about the last decade.

Having managed security for Fortune 100 companies for over 15 years, I have a keen perspective from the practitioner’s point of view. Ever since 2005 it’s been entirely clear that there are five key domains of malicious activity that cause data compromises, theft of property, comprised information and jeopardy to our national security.

I would argue that now is the time for cooler heads to prevail. When the Senate version is passed and the reconciliation process begins with the House version of CISPA, we should make sure to keep proportional focus on the following CyberSecurity domains in this order of importance:

1. Electronic Crime (e-Crime)
2. Nation State Espionage
3. CyberWarfare
4. Corporate Espionage
5. Hactivism

I fundamentally believe that the credibility and security of data-enabled free markets is essential to everyone’s wellbeing. Based on my experience I would estimate that e-Crime accounts for over 50% of identified cyber attacks, and ultimately unless the trajectory of this vector is changed, e-Crime represents a challenge to the very legitimacy of our free markets, and the streams of confidential data and private information that uphold them. That means everybody. Even the “privacy advocates.”

That’s why on CISPA’s home stretch we should focus more than 50% of the legislative muscle on efforts to hone government to private sector information sharing standards for e-Crime, the biggest part of the CyberSecurity problem. Remember how malware writers teamed up with spammers to create an incentive structure to distribute spam and the fragmentation of this vector of malicious activity into other areas such as DDoS attack-based extortion and fraud derived from compromised credit card information or “pay-to-click” scams.

And my intuition is more than corroborated by 2012 statistics from the Open Security Foundation, which tracks U.S. PII breach notification law violations and states that over 68.2% of 2012 disclosures were the result of hacking events and that over 2644 incidents took place, accounting for 267 million PII records being exposed. I suspect that this PII is a very conservative number as far as the actual PII exposed annually. And that's only in the US.

The truth is we need more than just CISPA. Simultaneously we need better private sector security performance and a stronger foundation of trust between governments and the private sector. I’ll take this challenge up in my next post.