Law Enforcement Already Has A Way To Share 'Cybersecurity' Info With Companies; Why Do We Need CISPA?
from the this-makes-no-sense dept
The whole CISPA situation keeps looking more and more questionable. For months, we’ve been raising the question of why we needed such a law in the first place, because the evidence of any online threat that required such a law seemed hyperbolic at best, and perhaps naively anecdotal, at worst. However, there’s another dimension to the “why” question. It’s not just that the actual risk hasn’t been quantified, it’s not clear that the government and companies actually need a new law to share such security info in the first place. As we stated, the “right” way to do this would be to look at where the actual roadblocks are today in sharing such info. And there’s some evidence that such roadblocks don’t even exist.
Kashmir Hill has a great post showing how the FBI and companies already share the kind of info that the bill’s sponsors claim the bill is needed to allow.
The FBI has been information-sharing with private industry for over a decade without a bill like CISPA in place.
In 1997, long-time FBI agent Dan Larkin helped set up a non-profit based in Pittsburgh that “functions as a conduit between private industry and law enforcement.” Its industry members, which include banks, ISPs, telcos, credit card companies, pharmaceutical companies, and others can hand over cyberthreat information to the non-profit, called the National Cyber Forensics and Training Alliance (NCFTA), which has a legal agreement with the government that allows it to then hand over info to the FBI. Conveniently, the FBI has a unit, the Cyber Initiative and Resource Fusion Unit, stationed in the NCFTA’s office. Companies can share information with the 501(c)6 non-profit that they would be wary of (or prohibited from) sharing directly with the FBI.
In other words, if sharing info was important, we already had a perfectly functional model that’s been in place for 15 years. This means, either that the Congressional authors and supporters of this bill were completely ignorant of this or CISPA is really meant to sneak through something worse. Neither makes CISPA or its supporters look very good. I’m actually hoping that the truth is that they’re just ignorant and passing laws on issues they don’t understand, because the other choice is even more depressing.