How a Cybersecurity Protection Bill Might Differ From CISPA
The House of Representatives is expected to vote on “CISPA,” the Cyber Intelligence Sharing and Protection Act this week. Whatever advocates’ frustrations, it’s not clear what government’s capabilities really are with respect to private critical infrastructure security and cybersecurity, regardless of resources.
Given that, ensuring that nothing blocks markets from reacting as fluidly as possible, rather than federally over-steering cybersecurity, should be the guiding principle. There’s a chance to adopt that stance next, because the Senate won’t likely pass CISPA and a White House veto is promised anyhow; but it would require a somewhat different mindset.
Those who feel we must legislate cybersecurity remain far apart. But it’s not really surprising; agreement even on fundamentals with respect to where to allocate cybersecurity resources and know-how doesn’t exist. Nor are we sure of the relative likelihood of physical vs. cyber-attacks, for example; or of cyber-terror or cybercrime aimed at the power grid, food processing facilities, chemical plants, banks or other institutions.
Or why are we handwringing over CISPA instead of, say, worrying about an electromagnetic pulse.
So it’s complicated. On the one hand the bill, aimed at threat information sharing between government and the private sector, is more limited than several recent proposals; there’s no “kill switch” for the Net; there’s no standards-setting; no major security requirements imposed on business.
But the outcry over the bill’s potential privacy-invading features has now reached anti-SOPA/PIPA proportions; those were the intellectual property bills that flamed out early this year and late last. Civil liberties advocates holler: Online freedom mattered greatly there, and privacy matters here.
CISPA barks up the wrong tree in a sense, capable of cementing in existing frailties such that regulation will surely persist in future years even when it shouldn’t.
An actual cyberspace protection plan, in my view, is different; it would embark upon the liberalization of heavily regulated critical infrastructure assets like telecommunications and electricity and water that are artificially siloed and managed as 20th century utilities. We need to open up unprecedented investment and foster new wealth creation in them. In similar vein, a cybersecurity plan would forbid compulsory “net neutrality” in the telecommunications industry that, to me, threatens sound network evolution and armor-plating. The relationship between cybersecurity and variously regulated critical infrastructure needs intense exploration, but I don’t really see it on the radar.
Policymakers more attuned to cybersecurity might also ponder relaxation of antitrust. One of the more non-controversial cybersecurity tasks often ascribed to government and prominent in CISPA is that of coordinating (certain) information sharing. But there may be impediments to voluntary information sharing that, if relaxed, lessen the pressure for having Washington run the show. It might be that we should examine how antitrust laws may inhibit coordination among firms. Relaxing antitrust constraints so firms can enhance reliability and security not just by sharing information but though “partial mergers” of the kind that would make today’s antitrust enforcers squirm may be what we need.
Overly aggressive interpretations of the Freedom of Information Act also may inhibit certain private information sharing.
Washington does have a substantial cybersecurity role that entails protecting government’s own insecure networks and setting reasonable internal security standards. It involves arresting computer criminals, not cyber-regulating. It means making sure government doesn’t increase its own culpability in cybersecurity risk by instigating unwise information sharing. It’s too easy to undermine individual privacy in this age of proposed national ID cards, biometrics, RFID, and evolving cloud-computing and mobile-device information standards. People need to be able to say no to the wrong kind of government information collection.
Private sector experimentation in cybersecurity is messy but important. It’s needed to appreciate what counts as appropriate and inappropriate information sharing and strategies. Companies are automating and outsourcing security; biometrics are restricting access to critical facilities.
And fragile, frontier institutions of insurance and liability are emergent, and should not be improperly interrupted by CISPA’s immunity provisions.
Moreover, lessons learned from today’s parallel online privacy and digital piracy conflicts will inform cybersecurity more generally.
We do need to better distinguish between commercial and political anonymity. The tug of war between anonymity vs. authentication matters. Outlawing online anonymity was never an answer for cybersecurity and is a non-starter; but private sector “regulation” of anonymity via developing authentication technologies far more capable than those of today can be critical in commercial settings and aid cybersecurity. If we were building the Net from the ground up knowing what we know today, perhaps we might embed authentication at the core in a way absent today. Experimentation in that vein might do more good than the sharing approach of CISPA.
Whether a law is passed or not, few stand in any position to make security guarantees on an Internet with a built-in, open and trusting architecture.
So cybersecurity legislation mustn’t undermine the evolution needed to make such guarantees real. Information sharing as in CISPA can help a lot but isn’t the sole answer, and compulsion should be avoided; And neither immunity nor the also-proposed opposite approach of imposed liability are appropriate reactions. Yet both have been put into legislative language.
In critical infrastructure security and cybersecurity, we’ll always need the private sector’s door locks, barbed wire and guards more than we need the feds (apart from criminal prosecutions). The cybersecurity bill to affirm that principle has yet to appear.