Cybersecurity Boon or Privacy Threat?
Rights advocacy groups and security practitioners remain on opposite ends of the spectrum on the merits of sharing information as a means to improve cyber security.
Fri, March 01, 2013
Computerworld — SAN FRANCISCO -- Rights advocacy groups and security practitioners remain on opposite ends of the spectrum on the merits of sharing information as a means to improve cyber security.
The Electronic Frontier Foundation, the Center for Democracy and Technology and other groups have vigorously opposed the Cyber Intelligence Sharing and Protection Act (CISPA), contending that it's a major threat to privacy.
The proposed legislation would make it easier for companies to share threat information with other businesses and the government -- and offers liability protection and legal immunity for organizations that take part.
The bill passed the U.S. House of Representatives last year amid huge protests and a veto threat by the White House. The bill failed after stalling in the Senate.
CISPA was reintroduced last month, and since then has faced the same loud critics.
EFF and other privacy advocates insist that the proposed law -- pretty much unchanged from the original -- would let companies snoop on people and share all sorts of personal information under the pretext of cybersecurity.
"It's written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight," the EFF cautioned in a CISPA FAQ it released this week.
According to the EFF and others opposed to the proposed legislation, CISPA as written would permit communications service providers to share stored emails, text messages and files with the government.
Information sharing only addresses a "small piece of the information security puzzle," the EFF noted in its FAQ, adding that CISPA "does nothing to, for example, encourage stronger passphrases, promote two-factor authentication, or educate users on detecting and avoiding social engineering attacks, which is the cause of a majority of attacks on corporations."
Security practitioners, however, view CISPA and information sharing in general quite differently.
At the RSA Conference 2013 here this week, several security experts said that threat information sharing is a vital piece of the effort to improve cyber security at a time when attacks against U.S. organizations are escalating sharply.
They insisted that the ability to share information on emerging threats and vulnerabilities freely without having to worry about liability, antitrust and other legal issues must be a key part of any cybersecurity strategy. Where privacy advocates see a threat, security practitioners see an opportunity to better deal with a fast changing threat environment.
"Information sharing -- having the means to share critical information, attack signatures, and detailed information is critical to [securing] critical infrastructure," said Christopher Pierson, chief security and compliance officer at financial services company LSQ Holdings.