CISPA Wouldn't Actually Solve The Reasons Congress Is Giving For Why We Need CISPA

from the it's-the-little-things... dept

As expected, Representatives Mike Rogers and Dutch Ruppersberger have reintroduced CISPA, exactly as it was when it passed the House last year. Incredibly, we’ve been hearing that they’ve brushed off the massive privacy concerns by claiming that those were all “fixed” in the final version of the bill that got approved. This is highly disingenuous. While it is true that they made some modifications to the bill at the very end before it got approved, most privacy watchers were (and are) still very concerned. They did convince one organization to flip-flop, and they seem to think that’s all they need.

But, here’s the thing that no one has done yet: explain why this bill is needed. With President Obama’s executive order in place, the government can more easily share threat info with companies, so really the only thing that CISPA piles on is more incentives for companies to cough up private information to the government with little in the way of oversight or restrictions on how that information can be used. And given how frequently the government likes to cry “cyberattack” when it’s simply not true, it’s only a matter of time before they start using claims of “cyberthreat!” to troll through private information.

And they still refuse to explain why this is needed. We hear lots of scare stories, but no explanation for how this bill helps. For example, Ruppersberger has written up an oped for the Baltimore Sun in which he lays out the reasons we need CISPA, but it’s all scare stories, without a single explanation for how CISPA would help. And that’s because it wouldn’t.

March: Hackers allegedly steal the credit card numbers from 1.5 million Visa and MasterCard customers by breaking into the computer systems of the company’s payment processor in New York. The thieves stockpiled the stolen credit card numbers for months before beginning to use them.

Payment processors already have some of the best security people in the world and have a large and widespread community of folks who do nothing but think about security issues for this industry. At what point would that lead the payment processor or Visa or Mastercard to need to hand information over to the government?

August: Cyber attackers disrupt production from Saudi Aramco, the world’s largest exporter of crude oil, taking out 30,000 computers in the process, according to press reports.

Saudi Aramco is a Saudi Arabian company. Not sure why they would be sharing info with the US government or how CISPA would relate to them at all.

January: PNC Bank announces to its 5 million customers that its website is getting hit with high traffic consistent of a cyber attack meant to delay business with its online banking customers.

Again, why would PNC need to give information to the government? And, if they could alert their customers to the threat, they can also alert the government. None of that requires the ability to share customer info.

These are just three reported examples of cyber attacks in the past 12 months. Each could have had a devastating impact on the U.S. and global economies. That’s more than a bad dream — that’s a full-blown nightmare.

These are just three scare stories of cyber attacks in the past 12 months, none of which would have been impacted by CISPA. So why do we need it again?

Highly trained Chinese, Russian and Iranian hackers are probing, pilfering and plotting every second of every day. They’re often after personal data: In November, reports suggested a hacker was able to access nearly 4 million tax returns in South Carolina with a single malicious email. And they’re often after the trade secrets of our companies: The media has reported that Coca-Cola may have fallen victim to hackers from a Chinese beverage company.

Again, what does any of that have to do with CISPA?

Many believe that what is happening to American business may be the largest transfer of wealth in the history of the world. It’s costing our companies billions of dollars, and it’s costing our country thousands of jobs.

Many believe that’s pure hogwash. It’s not the largest transfer of wealth in the history of the world. It’s not costing companies billions of dollars and it’s certainly not costing our country thousands of jobs.

Preventing the U.S. government from sharing information about malicious computer code it detects is akin to preventing forecasters from warning citizens about a hurricane.

Except the government already could share a lot of information, and with the executive order can now share more. So why do we need CISPA?

Our legislation doesn’t just protect companies. It will also protect every American citizen who, for example, uses electricity or banks online, or whose doctor compiles medical records electronically.

How? It’s a serious question. You can talk about all of these hacks, and you can say “yay, cybersecurity bill!” but if you don’t explain specifically how that bill does anything to actually stop those attacks or to protect Americans, you’re full of it.

It’s important to note that under my legislation, your private information will also be kept private from the government. Information-sharing between companies and the government will be entirely voluntary. Businesses do not have to share information with the government in order to receive information from the government. The bill does not authorize the government to monitor your computer or read your email, Tweets or Facebook posts. Nor does it authorize the government to shut down websites or require companies to turn over personal information.

The first sentence is simply not true. Your private information can be shared with the government, so to say that it absolutely will be kept private is simply wrong. The second and third sentences are misleading. Yes, the information sharing is “voluntary” but since there are broad immunity exemptions, if the government is coming to most companies and saying “share this info for cybersecurity reasons, and you can’t get sued for doing so,” how many companies are going to stand up to the government and say no? There may be a very small number, but for the most part, companies will hand over the info. The fourth and fifth sentences are simply meaningless, because they are unrelated to the legitimate privacy concerns raised.

Once again, we’re left in the same boat as before. Lots of scare stories but no explanation of why CISPA is needed or how it actually helps. The whole thing is just way too broad, with vague justifications that simply don’t make much sense when you look at the actual threats compared to what the bill would allow.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “CISPA Wouldn't Actually Solve The Reasons Congress Is Giving For Why We Need CISPA”

Subscribe: RSS Leave a comment
Anonymous Coward says:

usual situation, then. politicians want something, that something wont do what they say it will but it will be detrimental to the ordinary people. what more reason do they want? what chance is there of keep doing ‘SOPA’ defeats? at a guess, not a lot. politicians know that people get fed up of fighting, that’s why they keep pushing and re-pushing. they know that eventually, what they want will be achieved, simply because we cant carry on fighting them

John Fenderson (profile) says:

Re: Re:

Yes. That this solution isn’t considered is part of a disturbing trend I’ve been seeing for a while now.

1) Develop an obviously dangerous or unworkable solution.
2) Discover that it’s dangerous or unworkable
3) Get laws passed to make the danger illegal

.. when the only correct procedure is, if you get to step 2, to stop using that solution.

Anonymous Coward says:

“Many believe that what is happening to American business may be the largest transfer of wealth in the history of the world.”
Many children believe in unicorns, does that make it any more real? I KNOW this is an incomplete thought, because it doesn’t even describe who the transfer or wealth is from and to. It could be transfer of wealth of parents to their kids. I don’t know what dollar value you put on inheriting an entire kingdom including the serfs and slaves that go with it, but if a human life is priceless, then inheriting a country full of people kinda blows any modern wealth transfer out of the water.

“It’s costing our companies billions of dollars, and it’s costing our country thousands of jobs. “
This is nicely worded to make it sound like this is a fact, and the other is just a mere belief, when they are both unproven indefensible ideas pulled out of the air.

That One Guy (profile) says:

Re: Re:

It’s due to those pesky ‘privacy protection laws’ and whatnot getting in the way.

See currently, if companies handed over a ton of private information from their customers, they would be open to being sued, which would provide plenty of incentive for a company to refuse to hand over, or at least refuse to do so without a warrant, such data any time the government ‘asked’.

However if they were given immunity, then suddenly the incentive goes the other way, where they might have to worry about potential lawsuits from the government for not handing over the data, but none from their customers if they do.

Anonymous Coward says:

“Preventing the U.S. government from sharing information about malicious computer code it detects is akin to preventing forecasters from warning citizens about a hurricane. “

This one truly blew me away. What is the Purpose of US-Cert? ( Is this not the organization responsible to post critical vulnerabilities to informed IT people so that they can correct them before they are exploited. I get these emails at least monthly during MS’s update Tuesday, and various other times from Cisco, Adobe, Sun, Juniper, etc, etc, etc…. If companies don’t update their code, than it’s the public’s responsibility to shame them into doing so. Just look at Apple during the Dan Kaminsky DNS vulnerability: (First one that comes to mind, so not trying to bash anyone.)

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...