Monday, 22 April 2013
U.S. at it Again with CISPA
Last summer the Internet world watched closely to see what the U.S. government would do regarding its controversial Cybersecurity Act. After being overwhelmed with criticism and opposition, American politicians dropped support for the bill and let it fade off into the distance. Now they're at it again with a new bill known as CISPA.
CISPA is an acronym that stands for the Cyber Information Sharing and Protection Act. It is a new piece of legislation ostensibly designed to combat cyber-attacks mounted against the U.S. both domestically and internationally. The legislation's greatest power comes by way of expanded authority to access web data from hosting companies and ISPs.
The bill was defeated once before, after members of the U.S. Senate voiced concerns about individual privacy. A second version of the legislation was recently passed by the House with added amendments to answer those concerns. The Senate could still reject this latest overture; something that's likely, thanks to a threat by the Obama administration to veto the legislation if it passes in its current state.
The legislation has the support of important technology organisations including CITA and TechNet. Those lined up against it include Facebook, Reddit, the American Civil Liberties Union (ACLU), and the Electronic Frontier Foundation. It seems there will be no shortage of debate, just as we saw with the Cybersecurity act last year.
The authors of the bill cite the recent attacks from known threats as the main impetus for the bill. China was singled out buy one politician who said, "If you want to take a shot across China's bow, this is the answer." Those opposed say the legislation will do nothing to stop cyber-attacks but will decrease the privacy and security of every Internet user.
For Internet-based companies and governments outside the U.S. the most pressing question regarding CISPA is one of jurisdiction. During the debate over the Cybersecurity Act, U.S. courts asserted the American belief that they have jurisdiction over any computer system or user tied to information flowing in or out of the country. Whether or not they will assert the same thing with CISPA remains to be seen. If they do, we can expect more international organizations to come out against the bill.
The other concern is the potential trouble for data centres and hosting companies in the U.S. They would have to come up with comprehensive policies covering all phases of data management and protection. Data centre training would also be required in order to bring all employees up to speed as to how to handle sensitive information and requests from government entities.
In short, CISPA is another bill with shortcomings that will likely far outweigh any perceived benefit. It appears as nothing more than just a short-sighted effort among a group of American politicians to beef up Internet security. A better approach might be to encourage technology companies to continue security innovations while governments focus on aggressively prosecuting attackers using existing laws.