CISPA, Cybersecurity, and the Devil in the Dark

[lauren at vortex.com]

Lauren Weinstein's Blog Update, April 14, 2012
CISPA, Cybersecurity, and the Devil in the Dark
http://lauren.vortex.com/archive/000947.html

The threat of "cyberattacks" is real enough.  But associated risks have in
many cases been vastly overblown, and not by accident of chance.

The "cybersecurity" industry has become an increasingly bloated "money
machine" for firms wishing to cash in on cyber fears of every stripe, from
realistic to ridiculous. And even more alarmingly, it has become an excuse
for potential government intrusions into Internet operations on a scope
never before imagined.

There are warning signs galore.  While we can all agree that SCADA systems
that operate industrial control and other infrastructure environments are in
need of serious security upgrades -- most really never should have been
connected to the public Internet in the first place -- "war game" scenarios
now being promulgated to garner political support (and the really big
bucks!) for "cyber protection" have become de rigueur for agencies and
others hell bent for a ride on the cybersecurity gravy train.

Phony demos purporting to illustrate mass cyber attacks are more akin to
Fantasyland than reality, and the turf war between the Department of
Homeland Security (DHS) and intelligence agencies such as CIA and NSA in
this sphere should give all of us cause for significant concern.

The Cyber Intelligence Sharing and Protection Act (CISPA - H.R. 3523) has
become the embodiment of hopes for those entities who hope to turn overblown
fears of cyber attacks into a pipeline for potentially massive access by
government into the private data of Internet users.

Sponsors of the legislation tout its relative shortness and generality, but
those are precisely among the aspects that make this legislation so
problematic.

CISPA effectively overrides virtually all existing laws related to Internet
privacy protections.  And since CISPA offers firms access to government
cybersecurity "threat data" in exchange for ostensibly voluntary feeding of
data back from those firms to the government, and provides for broad
protective immunity for companies that choose to do so, a pantheon of tech
heavyweights have lined up in support.

Just a few of the firms who have to various extents professed direct support
of CISPA include Facebook, Symantec, Verizon, IBM, Intel, Microsoft, and
Oracle. There are many others.

Notably absent from this list is Google, who has not taken a formal position
on the existing CISPA legislation and apparently is unlikely to do so.

Google's current approach to CISPA seems particularly prescient.

While it would be absolutely incorrect to attribute bad motives to the firms
supporting CISPA, the legislation itself is in my view so vague and general
that it represents largely an "empty vessel" capable of enormous potential
damage if deployed and then subjected to the inevitable stream of court
interpretations.

CISPA claims to ban using data collected under its authority for other than
cyber threat activities.  But we've seen such data compartmentalization bans
fall many times before in other data collection contexts.

Since the legislation creates such a broad override of existing privacy
protections, and such encompassing immunities for firms that provide
associated data to the government, the lack of specificity in so many
aspects of CISPA creates what could be the opportunity for a "perfect storm"
of abuses down the line.

There are indeed genuine risks of serious attacks on the Internet and
connected infrastructural systems.  But in the fog of the
military-industrial complex's rapid push into this area, it has become
obvious that realistic assessments are being shoved aside in favor of scare
tactics, agency power struggles, and "get rich quick" scheming.

This entire area has become a quintessential example of sowing F.U.D.  --
Fear, Uncertainly, Doubt -- while legitimate questions of privacy and
individual rights are purposefully being marginalized.

We saw much the same thing happen after 9/11, with the knee-jerk rush to
pass the PATRIOT Act and Homeland Security Act, with a range of profiteering
and abuses against individual liberties that then resulted -- even leading
the U.S. down the evil path of torture.

We must avoid a repeat of this madness.

Information sharing can be a crucial element of cybersecurity, but for
legislation addressing this area, the devil is very much in the details, and
the lack of details in CISPA is an invitation to possible privacy disasters.

To the extent that cybersecurity threats do exist, the desire to quell them
must not be permitted to run slipshod over our personal privacy, liberties,
and associated protections in existing laws.

We can work together to help protect ourselves from actual cyber threats,
without allowing ourselves to become cyber schnooks in the process.

------------------------------