I’m a big believer in fire alarms. They pick up on a specific and actual threat, draw your attention to it and get you out safely.
But in the course of a fire alarm, you often discover more information than simply that there is a fire in part of the house. Why are those two in that bedroom? Who is that dark-haired woman in the attic? Why are you clutching that seemingly valueless box as though your life depends on it? Sherlock Holmes uses this basic fact about fire alarms to draw out the culprit in “A Scandal in Bohemia.” Tell people of a threat and they often inadvertently reveal their secrets.
Likewise, information used to protect people can also be turned into evidence against them.
And this is just as true with CISPA, the Cyber Intelligence Sharing and Protection Act that passed the House on Thursday. No analogy is perfect, but the act poses a lot of the same problems that a fire alarm does. What do you do with the information you glean in the course of trying to protect people?
At first, I wasn’t worried about CISPA. The Internet grumbled, but I ignored it.
I had used up all my indignation on the SOPA battles. I was exhausted. Gmail changed its layout and I barely murmured in dissent. Congress could have passed some sort of arcane regulation requiring double-clicks for everything and I might not even have batted an eye.
And I do believe we need a better system to share information about cyberthreats.
As the nation’s infrastructure moves online, and our dams and nuclear facilities and factories and air traffic control systems are increasingly digitized, they are open to new threats. Protecting the networks is a real and continual challenge. The computer systems charged with protecting our nukes face millions of attacks daily. This is a very real problem.
Unfortunately, as a general rule, the people who speak about Cyber Threats in the most florid and unnerving terms are the ones who do not, not to put too fine a point on it, know what they are talking about. They imagine cyberwars as being something like Battleship — you hit a button and something explodes noisily, at a distance. They picture cyber-armies moving around lava-filled landscapes and “Matrix”-like battles with multiplying, sunglassed villains.
Nor does it help that the frameworks we have in place to address security threats are not well-tailored to address the multi-front, constantly evolving array of threats online. They picture a war on a single front where civilian and military activities are clearly segregated. But online, there is little such differentiation; the same worm can baffle both online retailers and government networks. In traditional warfare, the idea that you would need real-time data from, say, retailers seems ludicrous. On the Internet, not so.
The Homeland Security department has been charged with securing the .gov domain, sharing information about online threats and coordinating efforts to protect the nation’s networks. But it often depends upon the National Security Agency, whose Cyber Command has tremendously more capacity and expertise. This imbalance of resources has made what is already a challenging area even more challenging. One of the hassles involved is the inability in many cases to share data about threats with the private sector, made more difficult by many privacy restrictions. CISPA seeks to come up with a way around that. But going in, advisers to the Obama administration were concerned about the way the bill treated this as an intelligence problem, not a security one.
“H.R. 3523 effectively treats domestic cybersecurity as an intelligence activity and thus, significantly departs from longstanding efforts to treat the Internet and cyberspace as civilian spheres. The Administration believes that a civilian agency — the Department of Homeland Security — must have a central role in domestic cybersecurity, including for conducting and overseeing the exchange of cybersecurity information with the private sector and with sector-specific Federal agencies,” read the Office of Management and Budget’s statement on the matter.
Besides, I tend to quail when Congress gets down to business regulating the sprawling and delicate ecosystem of the Internet. As a general rule, Congress is a lumbering bunch who still have BlackBerrys and vivid recollections of the ’70s, neither of which offers a particularly warm reassurance that they know what they are doing when it comes to the Internet.
And that was before the round of amendments Thursday night, when CISPA passed the House.
The idea of sharing data in response to threats is a good one. That’s why it’s important that any legislation on this issue be carefully tailored. Never give people more authority than you want them to use. Protecting children is all very well. Protecting individuals from personal harm is also very well. But, while good, these goals do not belong in cybersecurity legislation.
Sen. Ben Quayle’s amendment makes it difficult to argue that the bill is narrowly tailored enough or that it is taking the privacy rights of users seriously: “Would limit government use of shared cyber threat information to only 5 purposes: 1) cybersecurity; 2) investigation and prosecution of cybersecurity crimes; 3) protection of individuals from the danger of death or physical injury; 4) protection of minors from physical or psychological harm; and 5) protection of the national security of the United States.”
All five of these are laudable goals. But three of them have no place in a cybersecurity bill.
This is the central question of any cybersecurity information-sharing plan. What happens to your information after the government — be it the DHS or the NSA — gets its hands on it? How can they use it? While many Facebook users would be fine allowing their data to be shared (with some identity protections in place) to protect the system against threats, the idea that the government might then turn around and arrest them for psychologically damaging a child would not sit well with them.
No wonder Ben Huh of Cheezburger called it "SOPA's cousin who works for the CIA."
The question isn’t censorship this time. It’s the other perennial Internet problem — the unintentional overshare.
Of course, Facebook isn't bothered by it. Facebook is entirely premised on the idea that maybe you do want to share all your personal information with as many people as possible.
It’s perhaps not as bad as everyone says, if what people have been saying to you is that it violates your Fourth Amendment rights and sends armed soldiers to your house to beat down the doors and take your data. That’s not the problem. Nor is the premise of the government asking for information the problem. It’s what they can do with it once they have it.
Sharing information about cyberthreats is not bad. It’s necessary, before the house catches fire. But it’s possible to figure out a way to do it responsibly, and this isn’t it.