Today, we’re going to talk about something that’s been looming over the horizon recently and causing lots of people to panic. There’s been a lot of talk about the Cyber Intelligence Sharing and Protection Act (CISPA, in short) and its potential effects on the Internet, and I’ve decided to interview experts and executives from different corners of the country who are both for and against CISPA. If you want to get the latest scoop on what corporations and experts are saying about CISPA, read on. If you don’t have any clue what CISPA is, we’ll talk about it right now.
A little short note about CISPA: It’s a proposed Act that wants to enforce measures that could possibly allow authorities to request information from online entities regarding their users or subscribers under the intention of securing the nation’s interests – a repeated concept in our lives and in Hollywood known as national security. Is the term “national security,” in this case, a guise or an actual concern? We’re about to find out!
In simpler terms: CISPA aims to make companies like Twitter and Facebook comply to new regulations that would compel them to reveal information about their users or visitors to help with any collection of information on someone who would be considered a threat.
The Tech Guy has conducted some exclusive interviews and compiled some commentaries from authorities on the matter to help us better understand what the whole shebang is about. The following people have been interviewed to make this possible:
- Jerry Irvine, Chief Information Officer, Prescient Solutions
- Marcus Carey, Security Researcher, Rapid7
Commentaries have been provided by:
- Lamar Bailey, Director, Security Research and Development, nCircle
- Harry Sverdlove, Chief Technology Officer, Bit9
We will start this as a Q&A and end it with commentaries that have been provided by courtesy of the sources mentioned above.
Our Interview With Jerry Irvine, CIO, Prescient Solutions
For a little background on the company Mr. Jerry Irvine represents, Prescient Solutions is an organization based in Schaumburg, IL that provides outsourced IT solutions to its corporate clients. The company reduces the costs of other firms by acting as their one-stop go-to IT department, complete with things like a help desk and disaster recovery services right out of the box. And so begins our interview:
First of all, I’d like to ask if you are for or against CISPA.
“Given the options available today, that’s the best option we have so far,” said Irvine. OK, so it’s not a full-blown “CISPA rocks,” but a reserved and well-thought answer that reflects the opinions of several people who work at security firms, and online entities like Google and Facebook.
“I’m not even trying to be political. It’s better than the Senate action, and it’s better than anything else we have right now, so until something better comes along, yes. I would say I’m for this.”
So, you’re pro-CISPA, right?
“I would like to see changes made to it, but if it can’t be done, the bill for CISPA at this point would outweigh anything today.”
How does CISPA speak to you at a personal level? How do you feel affected by this Act?
“Well, I’m a small business owner – specifically in the IT industry – and I am enthralled by the cyber security threats that are occurring right now,” Irvine said. He mentions that there are a lot of security threats he hasn’t even heard of because companies are not able to share information. In addition, he says that CISPA is for businesses and citizens. We’ll touch on this a bit later, but this is a very intriguing point (and it’s good to get a viewpoint from someone advocating, if ever slightly, for CISPA after all).
“CISPA allows companies and the federal government to share information on cyber offense without the risk of some liability,” he continues. “The proponents of CISPA include Microsoft, ISPs, and other large software companies. It gives companies the chance to share information and catch the bad guys.”
What do you believe are the implications of CISPA on the general public?
“I believe that by having the ability of more information to be shared, the potential for a more secure environment exists.” He also adds that average people on the Internet would be further protected from threats because of all the information that passes between the federal government and companies regarding existing threats.
He adds an example of what CISPA would imply: “If companies can talk, it’s going to give them the ability to secure their environments. This would give me a more secure Internet for my personal use.”
After the Q&A
Despite my own stance against CISPA, I mentioned, “This is pretty interesting, because this is the first time that I speak to somebody with a pro-CISPA stance, and it’s great to hear this. It’s great to hear that, uhm, there’s another side to this because I’ve only been hearing things against it and I’ve been wanting to inform some of my audience about what benefits they could possibly reap from CISPA.”
His reaction to this led to further insight: “The Department of Homeland Security has pretty much an unlimited means for surveillance. CISPA does not provide any additional surveillance authority to the NSA, CIA or other federal agencies.””
He has a point here, which softened my stance slightly. What if CISPA is a necessary evil after all? What if, perhaps, we will finally have a reason to tell government agencies to back off our traffic data and just let companies cooperate when it comes to catching a threat?
It’s been a great pleasure to have the opportunity to speak to Mr. Jerry Irvine on this situation and I hope to speak again with him on another occasion when we need information on another subject. This is the first pro-CISPA stance we’ve seen so far.
Our Interview With Marcus Carey, Security Researcher, Rapid7
We’ve been hoping to score an interview with a security expert, and here he is. Marcus Carey is a security researcher at vulnerability management firm Rapid7, a company that helps organizations assess threat management and helps its clients reduce their IT vulnerability. The company has been running since the turn of the millennium and has received recognition from Inc. Magazine and Deloitte as one of the fastest-growing security companies in the world. Marcus Carey tells us about CISPA in this interview:
What do you think is the biggest threat to security in today’s ever-changing tech environment?
“The biggest threat today is drive-by attacks targeting unpatched browser and plug-ins. These attacks are victimizing corporations and consumers on a daily basis. The attacks are stealing money from consumers and intellectual property from corporations.”
Does CISPA effectively help enhance the security of our current infrastructure? How does it/how does it not do this?
“CISPA isn’t so much about enhancing the security of the current infrastructure, it’s more about sharing information between the private sector on “cyber threat” intelligence with the U.S government. It does nothing to help address the actual security vulnerabilities.”
With solutions already in place against cyber security threats, is CISPA a superfluous hindrance on personal privacy or a valuable asset to global security?
“There are definitely privacy concerns with CISPA and no one can say that more information will make us more secure. I believe that we currently know enough about information security threats to make a major difference. CISPA will lead to more “big data” that the government and defense contractors will have to sift through.”
Commentary From Lamar Bailey, Director, Security Research & Development At nCircle
Our first commentary is from Lamar Bailey, the Director of Security Research and Development at nCircle, a company that operates a Cloud-based vulnerability management suite for enterprise clients around the world. Bailey feels that CISPA poses a clear threat to public privacy, saying that “The current CISPA bill delivers a mortal blow to the Electronic Communications Privacy Act of 1986 (ECAP) and allows law enforcement agencies to give all your data the equivalent of a TSA full body scan in the name of national security.”
I have a tendency to agree with the fact that the TSA scans were not absolutely necessary. Things like these make you start wondering, “What’s next?” We might end up with nude scanners. Oh wait, we already have those. They’ve been recalled and replaced with new ones that show the body’s “outline,” but the possibility is still there. The fact Bailey compares CISPA to a TSA full body scan is intriguing.
He continues: “If we can put a man on the moon, a rover on Mars, and create stealth planes and helicopters, we can create a CISPA bill that protects our citizens’ personal privacy. Washington needs to rework the bill so citizens are not caught in political and cyber security crossfire.”
“If CISPA was a piece of software, it would fail QA [(Quality Assurance/Control)] because it is not ‘feature complete.’ Congress should not vote on CISPA until it includes sound measures to protect our privacy.”
We’re sure several organizations would agree with what Bailey just said. The Tech Guy also takes this stance.
However, companies like Google and Facebook have not been so quick to attack CISPA as they did with SOPA & PIPA.
Commentary From Harry Sverdlove, CTO, Bit9
Bit9 is the current global leader in a concept known as advanced threat protection. The company’s concept focuses on stopping a threat before it has a chance to arrive at its goal rather than stopping it once it’s already knocking on your door. Its set of solutions occupy very few resources on any given computer system, making them far more preferable to the mainstream corporate antivirus solutions currently in place. Today, we have the pleasure of showing you a few words from Harry Sverdlove’s blog post on Bit9:
The contrast with CISPA versus SOPA is how the players and their roles within the debate have changed. Companies like Facebook and Google that prominently protested SOPA have come out in full support of CISPA. Google has mentioned in the past about Chinese hacking efforts trying to tunnel into their network and pull out valuable information about their company and its users. So it only makes sense that web companies like Google, that largely sell just cloud-based solutions or digital products, would love the flexibility to improve their security through communication and government assistance. It’s a difficult debate, but if CISPA passes it wouldn’t be the worst thing to happen to security for anyone.
As you can see, he points out the fact that Google and Facebook have been a bit softer on CISPA, particularly because they sell digital products. Yes, Facebook does sell something. It sells advertising to prospects who want to engage some of its members, which is usually shown on the right sidebar of the website when you go to “Home.”
Sverdlove’s stance shows that this is a delicate situation which can go both ways.
Thoughts From The Tech Guy
While everyone might not agree on whether CISPA should or should not pass, everyone seems to agree that it could be written differently. Marcus’ point was very interesting, as he told us that CISPA would make more “big data” for government to look through. Of course, this would mean having to spend more money on data analysis, increasing the possible burden on the budget more than its current state.
My take on this is that CISPA poses less of a threat to individual freedom than ACTA or TPPA does, but I’m still concerned about its effects on screening individuals for “possible threats” like the TSA does, as Bailey mentioned.
Irvine’s commentary was very interesting, telling us that the sharing of information between companies and the federal government would be beneficial to the overall security of the Internet. However, I express a bit of concern about whether or not components of this proposition could be abused. The lack of an increase in the surveillance resources is an upside compared to SOPA, but I think we’re a long way from coming up with a viable solution that would protect the interests of the general public.
Let’s hear it for the people who have come forward in about CISPA!
Got Anything to Add?
Should we or should we not protest CISPA? We’d love to hear your opinions! Leave a comment below (use the “Guest” option when you click “Post As” if you don’t want to use an account) and tell us what you think about CISPA.