What exactly is CISPA?CISPA is a proposed amendment to the National Security Act of 1947, which reorganized U.S. military organizations and foreign policies after World War II. After the war, the existence of new threats made the U.S. realize that U.S. military organizations and U.S. agencies needed to work together, share information and coordinate their activities. CISPA aims to build on those efforts, but this time to bring together public and private cyber security experts to share information on attacks, losses and defenses necessary to protect against them.
The true purpose of this billThe intent of the bill is to allow corporations, individuals and the governmental organizations to share cyber threat information for cyber security, the protection of cybercrimes and to protect national security. In fact, CISPA does not give either the NSA or DHS any surveillance authority that it does not already have.
Why some people are worriedOpponents of CISPA are mainly concerned with its effects on the right to privacy, that user data and personally identifiable information would be at risk. While there may be some risk of a person’s information being shared as a data component of a specific cyber security event, that same information is in fact what hackers and cybercriminals are already obtaining as a result of weak cyber security practices. Additionally, there are multiple concerns of inappropriate surveillance practices being allowed as a result of CISPA. Nevertheless, as defined above, CISPA does not provide any additional surveillance authorities to the NSA or DHS.
Debates on the proposed bill's effectivenessThe Computer Intelligence Sharing and Protection Act is drawing a lot of attention from House and Senate leaders and causing debates between supporters (large Internet service providers, hardware and software companies) and opponents, such as the American Library Association, the ACLU, ex-presidential candidate Rep. Ron Paul and finally the hacktivist group Anonymous.
How much will this cost?CISPA has no associated costs for its implementation, management or oversight. This bill is a collaborative information guideline to be shared between public and private sectors. As a result, there will be no need for excessive government departments nor the associated tax increases to support them. Additionally, there are no associated regulatory issues to maintain, document or engage expensive consultants to certify compliance.
Cybercrime and CISPACNNMoney reports that the annual cost of data breaches for U.S. companies exceeded $130 billion, while the FBI has stated that total revenues generated by cybercrime is more than $1 trillion. These costs are passed down by banks, companies and even the U.S. government directly to the consumer. Without CISPA, private companies have no motivating reason to share information on cyber security events or processes. In fact, because of potential liability risks, it is in their best interest to keep quiet about them.
Cybercrime and communicationCurrently, no laws require the notification of cyber security events, just industry best practices and guidelines suggesting notifications to clients and investors. However, notifications come with potential liabilities, such as lawsuits and loss of reputation, which will influence a company’s decision to document these events. CISPA does not mandate anyone or any company to provide notification on cyber events. However, it does provide for open communications between organizations with limitations of liability associated with these communications.
AuthorJerry Irvine, CIO of Prescient Solutions and several other Chicago companies, has more than 20 years of experience in the creation, development and management of IT. He is a member of the National Cyber Security Task Force, responsible for advising federal decision-makers on cyber security policy. Prescient Solutions is an IT outsourcer providing strategic direction aimed at reducing costs and improving business results.