The House Intelligence committee is currently working to amend the Cyber Intelligence Sharing and Protection Act (CISPA) whose stated aim is to “help the U.S government investigate cyber threats and ensure the security of networks against cyberattack”. Yes, the government that has already proven they cannot protect its citizens from cybersecurity threats now wants to be the sole solution provider for those services all while proposing 19th-century style legislation to a 21st century problem. Well, “something is better than nothing”. Really?
CISPA has been criticized by advocates of Internet privacy and civil liberties, such as the Electronic Frontier Foundation and the American Civil Liberties Union. Those groups argue CISPA contains too few limits on how and when the government may monitor a private individual’s Internet activities. Additionally, they fear that such new powers could be used to spy on the general public rather than to pursue malicious hackers. What we all suspect is that CISPA is really nothing more than a second attempt at strengthening digital piracy laws after the anti-piracy Stop Online Piracy Act was thrown under the bus.
Now we are watching Congress “appear” to be doing something about Internet security when in reality, the proposals they are suggesting don’t address most major network security issues facing Americans today. Instead they are working feverishly to promote the “exchange of information” which is funny because the unfettered “exchange of information” is the root cause of the Internet security problem in the first place. Still, Congress feels allowing companies to more easily “share” information on attacks with the government, while their “sharing” remains free from Freedom of Information requests and can be done without a warrant, is the solution to America’s cybersecurity problem. Really?
In addition, CISPA allows the sharing of private citizen information with the National Security Agency, a secretive military intelligence agency. What’s even scarier is that the sharing of information is authorized even if it would otherwise be prohibited by privacy law. Furthermore, the company that shares the information is completely free from any liability resulting from the sharing of private data. Really?
The information that can be shared is broadly defined with no requirement to strip out personal information unrelated to the perceived threat. Furthermore, there is no requirement that companies that are the recipients of the cyberthreat information use it only for cybersecurity purposes. They can pretty much share whatever they want and then do whatever they want with it. Really?
In addition, we’ve just found out that one of the proposed amendments would prohibit companies from “hacking back” in an attempt to identify their attackers or recoup stolen property. So let’s see if I have this right. A government that admits it cannot protect us from Internet saboteurs is now proposing a law that will make it harder for us to protect ourselves. Really?
Do monkeys write these bills or real-life Congressmen?
Oh, and we remind you that this is all taking place in private without public debates. Yes, really.
Geek Slop take?
There is no single solution but lots of smaller ones that we can move on quickly. First, work faster to rebuild the country’s infrastructure, providing better secured IPV6 broadband facilities to all citizens. Our infrastructure is outdated and behind much of the rest of the world. It’s especially dated compared to China’s infrastructure.
Secondly, require companies to install and utilize IDS, IPS, and firewall solutions or suffer stiff penalties when failures occur in their security policy. You want to make a company pay attention? Hit them where it hurts – in the wallet.
After a very small window of “research time”, require public disclosure when company networks are attacked. Yeah, it you’re stupid enough to let them in then we want to hear about it. If for any reason other than to get a good chuckle out of their stupidity.
Launch a public education campaign educating citizens on the threats and perils of poor security practices. Nuff said.
And yes, allow companies to go on the offensive against attackers. If Russians are whacking away at my servers then I want to turn my big cannons in their direction and blast a 15-minute DDoS down their throats. Trust me, run a Hydra brute-force password attack on port 22 of a server located in Moscow and see how long it takes before the Internet connection in your home goes down.
Lastly, and most importantly, acknowledge that if America wants to win the cybersecurity war, they are going to need smarter generals…
UPDATE 4/10/13: It just got a bit less dopier. Reuters reported:
“During discussions, the bill was modified to include measures aimed at ensuring private information was not unwittingly exposed during any information-sharing between industry and government. For instance, the bill encourages the private sector to “anonymize” or “minimize” the information it voluntarily shares with the government, and authorizes and encourages the government to create procedures to protect privacy. It also puts in place restrictions on the use, retention, and searching of any data voluntarily shared by the private sector with the government, and permits individuals to sue the federal government for any such disclosures.”