House revives controversial cybersecurity information-sharing bill, but can CISPA 2.0 address lingering privacy concerns?

Mathew J. Schwartz, Contributor

February 14, 2013

3 Min Read

4. Civil Rights Groups Question Need For CISPA.

One reaction to the reintroduction of CISPA after its April 2011 demise has been: why bother? "Here we are, ten months later, with a much-deserved veto threat from the administration, a smarter Senate alternative, and an executive order that will address part of the information-sharing issue -- yet the House starts with the same old privacy-busting bill as before," said Michelle Richardson, legislative counsel for the ACLU, in a blog post.

In other words, privacy rights groups remain wary of CISPA, which the Center for Democracy and Technology previously derided not as cybersecurity legislation, but "surveillance legislation." Obama's cybersecurity order, by contrast, includes no legal protections for businesses that share people's personal information with the government, and instructs government agencies to report on the privacy and civil liberty impact that their cybersecurity programs are having.

5. CISPA Would Have Force Of Law.

Whereas the executive order only instructs the administration about how to proceed, one upside to cybersecurity legislation is simply that it would have the force of law. For example, the government could hold critical infrastructure businesses accountable for making measurable improvements in their information security posture.

After the executive order was signed, both Daniel and NSA director and U.S. Cyber Command commander Gen. Keith Alexander urged Congress to pass some form of bipartisan legislation that would close remaining cybersecurity gaps. The current shortfalls include creating enforceable critical infrastructure security standards, as well as incentives for private businesses to participate.

6. Does Information Sharing Require Laws?

But do private businesses operating in the critical infrastructure need new legislation to enable them to benefit from classified threat intelligence? "Frankly, I believe the tools and processes to facilitate effective and meaningful cybersecurity information sharing already exist; there is no need to reinvent the wheel yet again or add controversial and/or questionable provisions to those processes," said Richard Forno, who directs the University of Maryland Baltimore County's Graduate Cybersecurity Program, in a blog post.

Instead, his recommendation is that CISPA or other cybersecurity legislation focus on "unresolved problems of ... the over-collection of personal information in cyberspace along with its impact on personal privacy and ... the web of over-classifications, clearances and caveats (sometimes redundant and/or moronic in nature) that govern, if not also obstruct, how useful information -- including cybersecurity information -- is shared between interested people and organizations interested in or conducting cybersecurity operations."

Threat intelligence purveyors, heal thyself?

Attend Interop Las Vegas May 6-10, and attend the most thorough training on Apple deployment at the NEW Mac & iOS IT Conference. Join us in Las Vegas for access to 125+ workshops and conference classes, 350+ exhibiting companies, and the latest technology. Use Priority Code TLIWEEK by March 2 to save an extra $100 off the early bird price of Conference Passes. Register for Interop today!

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights