Moving forward from CISPA
|May 02 2013|
|VERTIC Blog >> Verification and Monitoring|
Katherine Tajer, London
This week, the Cyber Intelligence and Sharing Protection Act (more commonly known as CISPA) is under consideration by the US Senate. Four versions of the bill have been rejected in Congress since 2012, so it seems unlikely that the bill will pass. Just last week, an online petition opposing the bill attracted over 117,000 signatures. The future of cyber security policy may not be with CISPA, but why not?
Beyond the media hype in recent months (the New York Times hack being the most obvious example), cyber-attacks are definitely on the rise: the Department of Homeland Security reported a 52 per cent increase attacks launched against the US from 2011 to 2012. Similarly, the Department of Business, Innovation and Skills (BIS) in the UK reported a 50 per cent increase in business related cyber-attacks from last year. While once considered the hobby of embittered adolescent ‘hacktivists’, cyber threats have now evolved into a serious international security and commercial threat.
International policy-makers have taken note of this threat, and besides making alterations to military doctrine and strategic planning, states are looking to legislation to fight back against undesirable online activity. While some states are adamant about their need to protect freedom of speech and commercial competitiveness online, others are more concerned with the security challenges created by the internet. International laws governing cyber-security would require controversial decision-making in a relatively unfamiliar field and have therefore struggled to gain momentum and credibility. Presently, there is only one international bill in effect the Budapest Convention—to which neither China nor Russia is a signatory. As a result, states have attempted to refine their internal cyber procedures before becoming more heavily involved with international policy. CISPA is one such attempt. The US—as a major political, commercial and tech power—will certainly have a large impact on how other states shape their policies. As a result, the weight of CISPA has already been felt far beyond the Senate chamber’s walls.
While CISPA has attracted mostly negative media attention, the bill does seek to serve an important purpose. As the title suggests, the bill aims to facilitate information-sharing between the intelligence community and the private sector. Cyber threats are often designed to attack wherever there are vulnerabilities—meaning the same type of attack could be repeated across sectors and across a period of weeks or even months. If American banks and power providers shared information on incoming threats with US intelligence agencies and vice versa, both sides would be better prepared to identify and root out attacks.
To be clear, the bill states that all forms of information-sharing on the behalf of either party would be strictly confidential and voluntary on the part of either party. It should also be noted that the various manifestations of CISPA have been promoted by tech leaders, such as Apple and Google, suggesting that this real-time information-sharing would be invaluable to cyber threat detection and private industry interests.
For many Americans concerned with civil liberties (the American Civil Liberties Union has been central to this debate) and of the Senate, the main issue with the bill is that it does not go far enough to protect personal privacy. The logic behind this is that if a bank account is implicated in a cyber-attack, then the account will be under the watch of the CIA, or the Department of Homeland Security, or the FBI.
The Senate claims that they are going to review the law, split the provisions up and prepare separate bills to approach the privacy issue in a more robust manner. Alternative and complementary bills are already on the horizon, such as the Cybersecurity and American Cyber Competitiveness Act of 2013, which requires any information that could allow personal identification to be removed before that information is forwarded to government agencies.
Despite the pushback against CISPA, global legislative trends nevertheless are heading towards greater information-sharing. In February of this year, Barack Obama signed an executive order to establish a more focused approach to critical infrastructure protection in light of the rising cyber threat, which will certainly increase government participation in this sector. Also in February, the Council of Europe published a set of directives asking for information-sharing between private and public sectors, and to require companies to report any major cyber incidents to their national information security authority. Neither of these provisions has been particularly popular, as many companies see exposing internal vulnerabilities as a possible threat to their stock value.
There are a huge range of considerations when establishing reasonable cyber law. As the battle of CISPA demonstrates, the interests of private citizens should be paramount, but are often difficult to protect. Information sharing could best protect important personal and national assets, but at what cost? It is a balancing act to maintain the borderless, competitive and commercial environment but also provide for greater protections. What’s more, beyond the political debate, the quickening pace of technology is making threats increasingly difficult to identify and legally guard against.
Last changed: May 03 2013 at 5:08 PMBack