As I mentioned yesterday, this week is a Week of Action Opposing CISPA. CISPA attacks privacy and civil liberties, which of course makes it very bad from a liberty-loving perspective. To make matters even worse, CISPA provides no actual benefits.
The purpose of CISPA according to the HR-624 website is:
…simply provides narrow authority to share anonymous cyber threat information between the government and the private
sector so they can protect their networks and their customers’ private information.
That sounds well and good. However the bill allows unprecedented access to private information by the government. This is done by having companies share data ‘voluntarily’ (with no say from the actual customers). It is easy to imagine the DHS asking companies to ‘voluntarily’ provide data at any time in the name of cyber-security. Of course the term cyber-security itself is very vague.
But going back to the authors statement. At face value it seems logical that government and private sector organizations sharing information would make our networks safer. Think again. I’ve worked in the networking field (including security) for over 20 years and I can say with the greatest amount of confidence that simply sharing data will do nothing to make networks safer. The authors of this bill have fallen victim to some common misconceptions about network security:
Misconception 1: All network are the same.
Network and data infrastructures for large organizations are like snowflakes: no two are alike. There are similarities that most share, however a nearly unlimited amount of hardware, software, and configuration differences make it nearly impossible to have a single monitoring point (which is where CISPA is headed). Do we really want the bureaucrats at the DHS making decisions about people’s private data based upon the assumption that they can understand all networks?
Misconception 2: Vulnerability data is not shared.
Just because the government is not in charge of sharing vulnerability data does not mean it doesn’t get shared. Typically when a cyber-attack occurs a Network Security expert or experts are brought in. These experts will work with the vendors for any network security devices or software being used. In turn these vendors will release information relating to the vulnerabilities encountered. Also they will find ways to make their product prevent such attacks in the future. The system doesn’t always work this way, but for the most part it works quite well. Adding a government bureaucratic layer to this would lengthen the response time of security vendors.
Misconception 3: The network is the problem in cyber-security.
The network is not, nor has it ever been, the greatest threat for ‘cyber-security’. The greatest threat always has been and will likely remain to be the ‘human element’. Bad security policies coupled with uneducated network users is the greatest threat to network security. It doesn’t matter how hardened a network security infrastructure is if the users (including IT) do not follow security best practices. Bills such as CISPA takes focus away from the root cause of most network security issues. By focusing network security professionals upon pointless ‘voluntary information sharing’ they will lose sight of end-user education and network improvement.
There are many more misconceptions I could list. But I feel these three are enough to show how this bill has not been well thought out. Maybe they should have included more network security and privacy security professionals in the conversation when the bill was being drafted.
With the bill being based upon so many misconceptions it is hard to imagine why anyone would support giving up privacy rights so it can be passed. Simply put: this bill takes away fourth amendment and privacy rights without actually providing a tangible benefit. That sure doesn’t sound like good legislation to me.