In the US, another version of CISPA was reintroduced yesterday in the House of Representatives. The White House has also issued an executive order on the same topic. Similarly in Europe, the European Commission recently published two documents which articulate a strategy for cybersecurity – Cybersecurity Strategy of the European Union and the Proposed Directive on Network and Information Security. Info sharing programs to improve Internet security may be one of the most important global technology policy issues this year. We’re currently looking at these proposals to develop a view and understand if and how they may impact the Mozilla mission. If you would like to contribute to this effort, we welcome your participation.
On this side of the Atlantic, an editorial by CISPA bill author Rep. Dutch Ruppersberger articulates the rationale for the new CISPA bill. He likens it to a “911 line for cyber emergencies” so companies can call in threats and share supporting information when or before they occur.
The CISPA bill was problematic the first time it was introduced and later dropped last year, not because of the general goal to make critical infrastructure more secure, which is laudable, but because it compromised user privacy expectations. The new bill, among other provisions, provides for two way sharing of information from the government to commercial organizations and from commercial entities to the government to better defend against cyber-security attacks.
It seems the current bill has the same defects as last time as detailed by Mark Jaycox at EFF and Leslie Harris at Center for Democracy and Technology. Both organizations oppose the new bill because it overwrites existing privacy laws and fosters non-transparent sharing of personal user information with US government agencies without controls. To encourage and facilitate this kind of sharing, it also provides civil immunity to private companies for such sharing. Citing recent attacks on The New York Times, The Wall Street Journal and the Federal Reserve, other organizations like CTIA, Verizon, and AT&T support the new CISPA bill. Civil advocates appear to support the White House executive order.
With the accumulation of digital user data and preferences held by service providers and the reality that increased cyber-attacks also jeopardize user privacy, it seems that the tensions between national security and human rights/civil liberties will again be tested. It’s also unclear that this kind of sharing will really make a difference, so it seems the technical community needs to weigh in further. My hope is that there’s a reasonable balance that doesn’t cost users too much in the way of privacy to achieve the stated security goals.