[EAS] CISPA, Cybersecurity, and the Devil in the Dark
Peter J. Kindlmann
peter.kindlmann at yale.edu
Sat Apr 14 20:46:33 EDT 2012
Dear Colleagues -
I pass on to you the last mailing by Lauren Weinstein on his PRIVACY
Forum list. I consider him one of the most respected commentators on
issues of this kind.
Date: Sat, 14 Apr 2012 12:12:59 -0700
To: privacy-list at vortex.com
Message-ID: <20120414191259.GC22352 at vortex.com>
From: PRIVACY Forum mailing list <privacy at vortex.com>
Subject: [ PRIVACY Forum ] CISPA, Cybersecurity, and the Devil in the Dark
Content-Type: text/plain; charset="iso-8859-1"
CISPA, Cybersecurity, and the Devil in the Dark
The threat of "cyberattacks" is real enough. But associated risks
have in many cases been vastly overblown, and not by accident of
The "cybersecurity" industry has become an increasingly bloated "money
machine" for firms wishing to cash in on cyber fears of every stripe,
from realistic to ridiculous. And even more alarmingly, it has become
an excuse for potential government intrusions into Internet operations
on a scope never before imagined.
There are warning signs galore. While we can all agree that SCADA
systems that operate industrial control and other infrastructure
environments are in need of serious security upgrades -- most really
never should have been connected to the public Internet in the first
place -- "war game" scenarios now being promulgated to garner
political support (and the really big bucks!) for "cyber protection"
have become de rigueur for agencies and others hell bent for a ride on
the cybersecurity gravy train.
Phony demos purporting to illustrate mass cyber attacks are more akin
to Fantasyland than reality, and the turf war between the Department
of Homeland Security (DHS) and intelligence agencies such as CIA and
NSA in this sphere should give all of us cause for significant
The Cyber Intelligence Sharing and Protection Act (CISPA - H.R. 3523)
has become the embodiment of hopes for those entities who hope to turn
overblown fears of cyber attacks into a pipeline for potentially
massive access by government into the private data of Internet users.
Sponsors of the legislation tout its relative shortness and
generality, but those are precisely among the aspects that make this
legislation so problematic.
CISPA effectively overrides virtually all existing laws related to
Internet privacy protections. And since CISPA offers firms access to
government cybersecurity "threat data" in exchange for ostensibly
voluntary feeding of data back from those firms to the government, and
provides for broad protective immunity for companies that choose to do
so, a pantheon of tech heavyweights have lined up in support.
Just a few of the firms who have to various extents professed direct
support of CISPA include Facebook, Symantec, Verizon, IBM, Intel,
Microsoft, and Oracle. There are many others.
Notably absent from this list is Google, who has not taken a formal
position on the existing CISPA legislation and apparently is unlikely
to do so.
Google's current approach to CISPA seems particularly prescient.
While it would be absolutely incorrect to attribute bad motives to the
firms supporting CISPA, the legislation itself is in my view so vague
and general that it represents largely an "empty vessel" capable of
enormous potential damage if deployed and then subjected to the
inevitable stream of court interpretations.
CISPA claims to ban using data collected under its authority for other
than cyber threat activities. But we've seen such data
compartmentalization bans fall many times before in other data
Since the legislation creates such a broad override of existing
privacy protections, and such encompassing immunities for firms that
provide associated data to the government, the lack of specificity in
so many aspects of CISPA creates what could be the opportunity for a
"perfect storm" of abuses down the line.
There are indeed genuine risks of serious attacks on the Internet and
connected infrastructural systems. But in the fog of the
military-industrial complex's rapid push into this area, it has become
obvious that realistic assessments are being shoved aside in favor of
scare tactics, agency power struggles, and "get rich quick" scheming.
This entire area has become a quintessential example of sowing
F.U.D. -- Fear, Uncertainly, Doubt -- while legitimate questions of privacy
and individual rights are purposefully being marginalized.
We saw much the same thing happen after 9/11, with the knee-jerk rush
to pass the PATRIOT Act and Homeland Security Act, with a range of
profiteering and abuses against individual liberties that then
resulted -- even leading the U.S. down the evil path of torture.
We must avoid a repeat of this madness.
Information sharing can be a crucial element of cybersecurity, but for
legislation addressing this area, the devil is very much in the
details, and the lack of details in CISPA is an invitation to possible
To the extent that cybersecurity threats do exist, the desire to quell
them must not be permitted to run slipshod over our personal privacy,
liberties, and associated protections in existing laws.
We can work together to help protect ourselves from actual cyber
threats, without allowing ourselves to become cyber schnooks
in the process.
Lauren Weinstein (lauren at vortex.com): http://www.vortex.com/lauren
Co-Founder: People For Internet Responsibility: http://www.pfir.org
- Data Wisdom Explorers League: http://www.dwel.org
- Network Neutrality Squad: http://www.nnsquad.org
- Global Coalition for Transparent Internet Performance: http://www.gctip.org
- PRIVACY Forum: http://www.vortex.com
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://vortex.com/g+lauren / Twitter: http://vortex.com/t-lauren
Tel: +1 (818) 225-2800 / Skype: vortex.com
privacy mailing list
More information about the EAS-INFO