Internet advocacy groups are lining up to scream and yell about a US bill proposed to amend the National Security Act (NSA) of 1947 called the Cyber Intelligence Sharing and Protection Act (CISPA).
While it seems nearly everyone has an opinion about the act, most of the reporting seems to focus on those who can speak the loudest.
I figured I would weigh in on what the act is intended to do and why civil liberties groups are so concerned about it.
The intention of the act is to explicitly add "cybercrime" to the list of offenses that fall under the National Security Act. This includes attempts to disrupt or destroy US computer networks and attempts at unauthorised access and theft of data from these systems.
Another component of the act would grant the government the ability to share information between the public and private sectors to facilitate better defensive cooperation and information to assist in criminal investigations.
It all sounds pretty reasonable on the surface, right?
As usual the devil is in the details and that is where this bill gets particularly messy.
Early versions of the bill used the following wording to define theft from US computer systems:
"theft or misappropriation of private or government information, intellectual property, or personally identifiable information"
Immediately groups like the Electronic Frontier Foundation (EFF) and the Center for Democracy and Technology decried the bill as SOPA part two.
It has commonly been referred to as "son of SOPA" in the press because the bill specifically makes statements about intellectual property.
While there is little room for vagueness in legislation, I do not believe that was the intention of the statement.
The authors claim the purpose was to include the theft of intellectual property pertaining to trade secrets, industrial designs and other information the US has accused China of stealing en masse from US companies.
The offending statement about intellectual property has been removed in current versions of the bill.
The larger concern for many was the expectation that US companies would share information about cyber attacks with the US government and the bill does not specifically prohibit sharing personal information or adequately restrict its usage. The EFF in particular takes issue with wording from the bill that states "Private information may be shared notwithstanding any other provision of law."
That is indeed some pretty scary wording, which has led the White House to respond.
Without mentioning CISPA, National Security Council spokeswoman Caitlin Hayden was quoted in The Hill as saying:
"Also, while information sharing legislation is an essential component of comprehensive legislation to address critical infrastructure risks, information sharing provisions must include robust safeguards to preserve the privacy and civil liberties of our citizens. Legislation without new authorities to address our nation’s critical infrastructure vulnerabilities, or legislation that would sacrifice the privacy of our citizens in the name of security, will not meet our nation's urgent needs"
This time I think the White House has it right. Information sharing, even if only between private sector organisations, is critical to our building an effective defense.
It may also be the key to being able to more accurately identify our adversaries and the methods they are using to gain access to our systems.
While some industries share information and have a reasonable picture of what we are up against, most do not.
To accomplish these goals by casting our privacy rights in the trash heap in a rush to be "secure" is more insane than doing nothing at all.
We have seen too many laws take away our rights in the name of security already, with little to nothing to show for it.
I know it might sound crazy... But perhaps we can respect current privacy protections and still share information with one another for the betterment of all of our security?
I know it sucks, that means you will actually have to care and try a little harder, but there are still two viable options available to you.
You can decide it is too hard and continue to suffer attacks, have your business plans stolen and struggle to survive in an ever more competitive market or you can respect the law and your customers, work extra hard to together with others in your position and be stronger for it in the long run.
Chester Wisniewski is a senior security advisor at Sophos Canada.