The true face of ‘son of SOPA’

Internet advocacy groups are up in arms about the latest bill designed to bolster US defence against cyber attacks but is the Cyber Intelligence Sharing and Protection Act (CISPA) really that bad?

Internet advocacy groups are lining up to scream and yell about a US bill proposed to amend the National Security Act (NSA) of 1947 called the Cyber Intelligence Sharing and Protection Act (CISPA).

While it seems nearly everyone has an opinion about the act, most of the reporting seems to focus on those who can speak the loudest.

I figured I would weigh in on what the act is intended to do and why civil liberties groups are so concerned about it.

The intention of the act is to explicitly add "cybercrime" to the list of offenses that fall under the National Security Act. This includes attempts to disrupt or destroy US computer networks and attempts at unauthorised access and theft of data from these systems.

Another component of the act would grant the government the ability to share information between the public and private sectors to facilitate better defensive cooperation and information to assist in criminal investigations.

It all sounds pretty reasonable on the surface, right?

As usual the devil is in the details and that is where this bill gets particularly messy.

Early versions of the bill used the following wording to define theft from US computer systems:

"theft or misappropriation of private or government information, intellectual property, or personally identifiable information"

Immediately groups like the Electronic Frontier Foundation (EFF) and the Center for Democracy and Technology decried the bill as SOPA part two.

It has commonly been referred to as "son of SOPA" in the press because the bill specifically makes statements about intellectual property.

While there is little room for vagueness in legislation, I do not believe that was the intention of the statement.

The authors claim the purpose was to include the theft of intellectual property pertaining to trade secrets, industrial designs and other information the US has accused China of stealing en masse from US companies.

The offending statement about intellectual property has been removed in current versions of the bill.

The larger concern for many was the expectation that US companies would share information about cyber attacks with the US government and the bill does not specifically prohibit sharing personal information or adequately restrict its usage. The EFF in particular takes issue with wording from the bill that states "Private information may be shared notwithstanding any other provision of law."

That is indeed some pretty scary wording, which has led the White House to respond.

Without mentioning CISPA, National Security Council spokeswoman Caitlin Hayden was quoted in The Hill as saying:

"Also, while information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens. Legislation without new authorities to address our nation’s critical infrastructure vulnerabilities, or legislation that would sacrifice the privacy of our citizens in the name of security, will not meet our nation's urgent needs"

This time I think the White House has it right. Information sharing, even if only between private sector organisations, is critical to our building an effective defense.

It may also be the key to being able to more accurately identify our adversaries and the methods they are using to gain access to our systems.

While some industries share information and have a reasonable picture of what we are up against, most do not.

To accomplish these goals by casting our privacy rights in the trash heap in a rush to be "secure" is more insane than doing nothing at all.

We have seen too many laws take away our rights in the name of security already, with little to nothing to show for it.

I know it might sound crazy... But perhaps we can respect current privacy protections and still share information with one another for the betterment of all of our security?

I know it sucks, that means you will actually have to care and try a little harder, but there are still two viable options available to you.

You can decide it is too hard and continue to suffer attacks, have your business plans stolen and struggle to survive in an ever more competitive market or you can respect the law and your customers, work extra hard to together with others in your position and be stronger for it in the long run.

Chester Wisniewski is a senior security advisor at Sophos Canada. 

InvestSMART FORUM: Come and meet the team

We're loading up the van and going on tour from April to June, with events on the NSW central & north coast, the QLD mid-north coast and in Perth, Adelaide, Melbourne, Sydney and Canberra. Come and meet the team and take home simple strategies that you can use to build an investment portfolio to weather any storm. Book your spot here.

Want access to our latest research and new buy ideas?

Start a free 15 day trial and gain access to our research, recommendations and market-beating model portfolios.

Sign up for free

Related Articles