While cybersecurity legislative generally proceeds at a torpid pace, the U.S. House of Representatives actually passed the Cyber Intelligence Sharing and Protection Act (CISPA) last week. The bill now proceeds to the Senate and may end up on the President's desk.
Now I for one believe that cybersecurity legislation is needed. Cybersecurity defenses are shoddy at best in way more organizations than you think so Uncle Sam should be more active here. Don't just take my word for it: In a survey of 285 security professionals working at critical infrastructure organizations, 71% of respondents said the Federal government should be "significantly" or "somewhat" more involved in cybersecurity strategies and defenses when it comes to protecting the U.S. critical infrastructure.
So I should be dancing a jig about CISPA but I'm actually singing the blues instead. To be candid, CISPA is a poorly written piece of legislation about a topic that is clearly misunderstood by congress. Why? For starters, information sharing is a small piece of the puzzle. Yes, it's important but it also assumes that all of the parties know how to interpret and act upon the information. Many, if not most, don't. Furthermore, it ignores any type of security standards or oversight, assuming instead that the free market will motivate company executives to protect customers with strong cybersecurity. Yeah, just like the free market kept banks from making risky investments in mortgage-backed securities to protect their clients. Finally, the house must have missed the whole privacy brouhaha over the Clipper Chip, FISA, the Patriot Act, and the Senate's Cybersecurity Act of 2012. CISPA is so vague about privacy limitations that it provide a cybersecurity loophole to a myriad of other domestic spying controls.
Many of the actual cybersecurity smart legislators like Congressman Langevin from Rhode Island and Senator Lieberman from CT are opposed to CISPA because it doesn't go far enough. Furthermore, President Obama has pledged to veto the bill if it gets to his desk.
So why is the House persisting? Maybe I'm a skeptic but it must be politics. CISPA satisfies the need to "do something" without doing anything. CISPA has no teeth and won't require anyone to invest in desperately needed security policies, skills, and technologies. In the event of a major cyber attack, congress can claim that it had done its job and tried to pass cybersecurity legislation. Blame the Senate or the President, not the House.
This situation would be funny if it weren't so serious. Does congress really believe it can continue to push this farce on the American people? I hope not. Note to congress: Please get a competent and honest effort going here. Our safety depends on it so stop using national security and the economy as a political pawn.
You can read Jon's other blog entries at Insecure About Security.