There Is A 'Right Way' To Do Cybersecurity Information Sharing, But CISPA Is Not It
from the sharing-is-caring dept
We’ve argued, repeatedly, that the backers of various cybersecurity bills have failed to give a real reason for why such bills are needed. What is the imminent threat and why does it need legislation? The only point of issue that has made some sense is that you can envision areas where it would be quite useful for companies and governments to share specific threat- or attack-related information, for the purpose of stopping that (or related) threats and attacks. But that’s a very limited scenario. The entire framework of CISPA ignores that, which is why it’s unclear if the bill even could be fixed. That said, Julian Sanchez, over at the Cato Institute, has posted an interesting analysis of what information sharing regulation should look like. First, he discusses the problem with the CISPA setup:
CISPA worked by creating a sweeping exception to all other privacy and surveillance laws, granting blanket immunity to any “entity” that chose to share vaguely defined “cyber threat information”—potentially including the contents of e-mails or other online communications—with both private actors and the government. When civil liberties advocates cried foul at the prospect of such vast quantities of private data being handed over to government on a silver platter, the bill’s supporters tried to placate them by tacking on an array of after-the-fact anonymization requirements and use restrictions—forbidding the use of the data except for a “cybersecurity purpose” or for “the protection of the national security of the United States.”
That wasn’t much consolation to anyone who’s watched how the government has tried to interpret similar “purpose” restrictions in the past. In 2002, for example, then–Solicitor General Ted Olson argued for a highly expansive view of the “foreign intelligence purposes” for which information obtained through national security wiretaps could be used, including using evidence of misconduct unrelated to terrorism or espionage to force people to become informants. If a wiretap turned up evidence of tax evasion or rape, for instance, Olson suggested the government “could go to that individual and say we’ve got this information and we’re prosecuting and you might be able to help us. I don’t want to foreclose that.” It’s no great leap to imagine a future solicitor general arguing that extorting the cooperation of hackers, penetration testers, or other tech professionals would similarly serve a “cybersecurity purpose.”
Basically, take a broad, vaguely defined law for a specific purpose… but leave it open to allowing the government to stretch that definition, and the government will almost always do so.
But, again, you can see cases where information sharing could be useful, so Sanchez suggests what might make sense there:
Instead of indiscriminately adding a cybersecurity loophole to every statute on the books, why not figure out which specific kinds of information are useful to security professionals without compromising privacy, figure out which laws raise obstacles to that sharing, and then craft appropriately narrow exemptions? (One assumes the intelligence agencies can be afforded more discretion about when to share the information already in their own possession—whatever else one might say about it, “oversharing” is not among the NSA’s problems.)
The exceptions could be appropriately narrowly tailored depending on the sensitivity of the information involved. For instance, different sections of the Electronic Communications Privacy Act deal with different kinds of data. Subsections (1) and (2) of 18 USC §2702 deal with the contents of communications in transit through or stored by a communications provider, generally prohibiting use or disclosure of that information without specific consent. Subsection (3) covers subscriber information and transactional data about those communications, and generally permits voluntary sharing, but specifically prohibits sharing with governmental entities. Since that transactional information is typically less sensitive than communications themselves, an exemption there might allow providers a fair amount of discretion to determine what constitutes “cyber threat information” and permit sharing with government also, subject to the appropriate anonymization and use requirements. For the more sensitive contents, the exception might be limited to a relatively specific laundry list of kinds of data that are both unquestionably security-related and limited in their implications for privacy, such as malware signatures and attack payloads.
In other words, let’s more carefully define the real problem here. The government is insisting that information needs to be shared, but that’s not “the problem.” Information can be shared already. The reason that CISPA works by creating a huge immunity umbrella is that the “problem” with sharing isn’t that information can’t be shared, but that certain already overburdensome regulations block certain kinds of sharing in situations where it makes sense. The answer isn’t to remove all liability for the oversharing of info, but to narrowly create exceptions to where key information that actually is necessary to be shared can have that done without violating the law. In other words, as you dig deeper, it appears that the problem isn’t about sharing information — it’s about a series of existing laws that failed to take into account future realities. So, a much more targeted and reasonable solution is to figure out exactly where that friction is, and to clear out those blockages. But, that’s not what CISPA does.
Filed Under: cispa, cybersecurity, information sharing, julian sanchez
Companies: cato institute
Comments on “There Is A 'Right Way' To Do Cybersecurity Information Sharing, But CISPA Is Not It”
Mike, outside of your immediate friends (and the people paying you as a consultant / lobbyist on the issue), have you noticed a total lack of outrage here? Clearly this isn’t on par with the “take away your free youtube videos” scenerio.
Take it as a little proof how SOPA will come back to get you, a little at a time.
Good thing Julian did all that work in writing that article so you could just copy it here and add a few of your stock thoughts to it. This blog is easy! Just wait for someone else to write something, add a thing or two to it, and call it your own. Techdirt!
So the American government wants to punish sharing when it is the public who do it, but encourage sharing when it’s corporations and the government. A paradox: corporations are allowed to do whatever they like, while the people are constricted and criminalised.
Re:
I have no problem with reporting interesting things written by others. You’re indoctrinated with the “property” mindset about information, while it should be about sharing for the greater good.
Re:
So no one is able to offer their opinion on others work? Got it. Asinine as usual AC. Thanks for keeping the quality standard high. /s
Re:
There is widespread outrage, even abroad. And who would be paying Mike? There is no rich lobby with an interest against CISPA. Please provide proof or accept that people will call libel.
surely the problem is ensuring that information isn’t shared with anyone unless absolutely necessary, is 110% safe, not only from unnecessary sharing but also from unlawful sharing and those with access to the information are never permitted to remove, copy or transfer that information for any reason from the place of storage.
Metallica Song Title
Where’s the “sad but true” button when I need it?
Obviously the MAFIAA couldn’t get their whole pie, so instead they’ll get it one crumb at a time.
Today's bogeyman
Today, congresscritters made a great deal of alarmist remarks about how they need CISPA because of the threat of Iran releasing jihadist script kiddies:
http://www.informationweek.com/news/government/security/232901044?cid=RSSfeed_IWK_News
http://thehill.com/blogs/congress-blog/foreign-policy/223901-iranian-cyber-threat-cannot-be-underestimated-meehan
This is ironic considering that the history of major cybersecurity threats puts Iran in the victim role and the US in the alleged perpetrator role. http://www.telegraph.co.uk/technology/news/8541587/Stuxnet-virus-US-refuses-to-deny-involvement.html
Re:
That’s right badmouth someone helping us way to go cowards!
Re:
That’s interesting, according to Techdirtbag Nation, the overthrow of SOPA was driven by the public groundswell, not rich tech firms and lobbyists. So if that’s true why isn’t that “widespread outrage” translating into action?
Unless of course you realize that anti-SOPA movement was as organic, genuine and spontaneous as mourners at a North Korean leaders funeral.
Re:
Here’s the paradox: people want to share copyrighted content that isn’t there’s to share but not their own information.
Re:
You’d be better served just making your own tinfoil hat.
Re:
I am only doing what Mike would do on a normal day, drawing a conclusion through inferences.
Mike is suddenly AWOL and in meetings on the East Coast this week, just as CISPA comes up, and just as he is ramping up the anti-CISPA rhetoric online here. You can draw your own conclusion. I stated my opinion, it may be right or wrong, but certainly the timing seems relatively suspect.
Gosh chaps. Now you too can have your emails read, the same way the rest of us in the rest of the world, get ours read by your security services as we don’t have any Amendment protections and all email traffic goes via the US at some time in its journey despite the origin and receipient being non-US based. Get used to it. We have.
Re:
Makes it a lot easier for people like me to find all the articles I’m interested in in just this one place, instead of having to seek all of them out myself.