Return of CISPA: Cybersecurity boon or privacy threat?

Rights groups fear widespread sharing of personal information; security managers at RSA see key new piece for corporate cyber defenses

SAN FRANCISCO -- Rights advocacy groups and security practitioners remain on opposite ends of the spectrum on the merits of sharing information as a means to improve cyber security.

The Electronic Frontier Foundation, the Center for Democracy and Technology and other groups have vigorously opposed the Cyber Intelligence Sharing and Protection Act (CISPA), contending that it's a major threat to privacy.

The proposed legislation would make it easier for companies to share threat information with other businesses and the government -- and offers liability protection and legal immunity for organizations that take part.

The bill passed the U.S. House of Representatives last year amid huge protests and a veto threat by the White House. The bill failed after stalling in the Senate.

CISPA was reintroduced last month, and since then has faced the same loud critics.

EFF and other privacy advocates insist that the proposed law -- pretty much unchanged from the original -- would let companies snoop on people and share all sorts of personal information under the pretext of cybersecurity.

"It's written so broadly that it allows companies to hand over large swaths of personal information to the government with no judicial oversight," the EFF cautioned in a CISPA FAQ it released this week.

According to the EFF and others opposed to the proposed legislation, CISPA as written would permit communications service providers to share stored emails, text messages and files with the government.

Information sharing only addresses a "small piece of the information security puzzle," the EFF noted in its FAQ, adding that CISPA "does nothing to, for example, encourage stronger passphrases, promote two-factor authentication, or educate users on detecting and avoiding social engineering attacks, which is the cause of a majority of attacks on corporations."

Security practitioners, however, view CISPA and information sharing in general quite differently.

At the RSA Conference 2013 here this week, several security experts said that threat information sharing is a vital piece of the effort to improve cyber security at a time when attacks against U.S. organizations are escalating sharply.

They insisted that the ability to share information on emerging threats and vulnerabilities freely without having to worry about liability, antitrust and other legal issues must be a key part of any cybersecurity strategy. Where privacy advocates see a threat, security practitioners see an opportunity to better deal with a fast changing threat environment.

"Information sharing -- having the means to share critical information, attack signatures, and detailed information is critical to [securing] critical infrastructure," said Christopher Pierson, chief security and compliance officer at financial services company LSQ Holdings.

Information sharing is not final step in cybersecurity, he noted. "The key to success here is not information sharing as a destination. Information sharing is something that has to be present as a part of a holistic program that has relevancy and is actionable."

Security practitioners also noted privacy protections are important and should be respected as part of any information sharing process.

IT security pros need to share non-personal information like IP addresses that used to launch targeted attacks, the addresses of command and control servers used to control botnets, or the indicators of a data breach or new malware program.

Such information can help companies and government agencies prepare stronger cyber defenses and gain a better understanding of emerging threats, said Wade Williamson, a senior security analyst at Palo Alto Networks.

The anti-virus industry has benefited substantially from sharing malware information with each other, Williamson said. But the industry lacks a standardized way to share compromise indicators and other information in a privacy-friendly manner, he said.

"Sharing threat intelligence and information on newly discovered attack techniques observed by other organizations and leveraging that information to improve and inform is of tremendous value," said Amit Yoran, general manager of the security management and compliance unit at RSA.

That task would require very detailed information on what is being shared, how it is being shared, with whom it is being shared and why. Organizations need to be able to describe clearly any information sharing process and how it could defend their organization against attacks, he noted.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingsecurityU.S. House of RepresentativescyberwarfareCenter for Democracy and TechnologyintelElectronic Frontier Foundation

More about EFFElectronic Frontier FoundationPalo Alto NetworksRSATechnologyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts