CISPA

Interesting take on the CISPA law now that just passed in the U.S. House and is now over in the Senate: CISPA row: Slurped citizen data is ENORMO HACK TARGET.

CISPA is the Cyber Intelligence Sharing and Protection Act. From the lead of the above-cited article:

The ability to identify common patterns in real-world attacks makes crowd-sourcing threat intelligence extremely useful, according to a study from security tools firm Imperva.

The report arrives just as a privacy row rages over the new Cyber Intelligence Sharing and Protection Act (CISPA) law in the US.

But the head of the security firm said the legislation could create several problems, not least of which was the equivalent of sticking a giant ‘Hack Me’ sign on the government’s info stores.

Basically what is being proposed here is that the Government is too stupid, or too lazy, to be trusted with such a mass of information. We are, of course, talking about the same Government that couldn’t prevent it’s own Secretary of Defense’s work e-mail from being hacked by the Chinese. So the threat is not merely theoretical.

Is the whole notion of private business sharing this kind of information with the Government a good idea? Maybe, but as usual “the devil is in the details”. The problem with any legislation that tries to encourage information sharing between private business and the Government in this country is that protecting citizen privacy is usually an afterthought. Where Europeans have the benefit of multiple layers of laws protecting the privacy of information about citizens, the United States has a few very narrowly defined statutes such as HIPPA (covering medical information), FCRA (credit) and ECPA (electronic communications). We Americans have just not thought this stuff though very thoroughly, and in those few places that we have, we’ve done it badly.

We are, as I note above, even worse at keeping private data safe once we’ve gathered it — even where there’s clear agreement that a particular bit of information should be kept under lock and key.

Right now odds are that the Senate majority will either not schedule a vote on the bill as referred from the House or will defeat it. In the event it should pass the Senate, the President has already issued an unusually blunt statement that he would veto it.

Of course in Washington, anything can happen. And no one can be trusted.

This is the offical list of CISPA supporters published on the U.S. House of Representatives web site. Note that although some of those listed below may have belatedly softened their support, there comes a time when “too little too late” needs to apply even to business overlords and defiers of gravity.

H.R. 3523 – Letters of Support

06-27-12 – Michigan Department of Military & Veterans Affairs, Lansing Supporting CISPA

04-25-12 – American Fuel & Petrochemical Manufacturers Letter to Boehner & Pelosi Supporting CISPA

04-25-12 – American Petroleum Institute Supports CISPA

04-25-12 – 11 Financial Trade Associations Support CISPA

04-24-12 – SIMFA Letter of Support for CISPA

04-23-12 – ASIS Letter Supporting HR 3523

04-23-12 – 9 Utilities Groups Support CISPA

04-20-12 – TechNet Sends Letter of Support for CISPA to Rogers and Ruppersberger

04-18-12 – Multiple Tech Association Letter to Boehner & Pelosi in support of CISPA

04-17-12 – Bay Area Council Supports CISPA

04-17-12 – TechAmerica Supports CISPA

Multi-industry Letter to Speaker Boehner & Minority Leader Pelosi on CISPA

AT&T
Boeing
BSA
Business Roundtable
CSC
COMPTEL
CTIA – The Wireless Association
Cyber, Space and Intelligence Association
Edison Electric
EMC
Exelon
Facebook
The Financial Services Roundtable
IBM
Independent Telephone & Telecommunications Alliance
Information Technology Industry Council
Intel
Internet Security Alliance
Lockheed Martin
Microsoft
National Cable & Telecommunications Association
NDIA
Oracle
Symantec
TechAmerica
US Chamber of Commerce
US Telecom – The Broadband Association
Verizon

Here’s who voted “yea” and “nay” on it in the House on 18 April 2013:

Final Vote Results for Roll Call 117

This entry was posted in Editorial on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).