With the passage of the Cyber Intelligence Sharing and Protection Act by the House, Congress has taken a very important step to increase the nation’s cybersecurity posture. But let’s remember something critical — it’s just one step.
CISPA has been the subject of intense debate about whether it will adequately protect personal information. While respecting the concerns of the privacy community, the simple fact is that when it comes to protecting the nation from cyberattacks, the government has better things to do than sift through electronic noise for juicy personal information.
What’s far more damaging is that the ponderous privacy debate has prevented the government and the private sector from doing something simple: telling each other what viruses, malware and other bad cyber-weapons look like. Realistically, all Intelligence Chairman Mike Rogers, R-Mich., and ranking member C.A. Dutch Ruppersberger, D-Md., have been attempting is to give the government the ability to create an identification database for known cyber-threats. Depriving the government of the ability to share that information is tantamount to telling the FBI that it can publish a “10 Most Wanted” list, but only if no names or descriptors are used.
Let’s assume, though, that CISPA or a version thereof actually makes it into law. With that good information-sharing program in place, will we be materially better off against cyber-threats?
Sadly, nope, we won’t.
Don’t get me wrong — robust information-sharing will be quite helpful against cyber-threats. The problem is that the known threats are not what we should be most concerned about: it is the new ones, the ones we never saw coming.
Cold Warriors like to say they miss they Soviets — they were predictable. You flew a satellite over a missile range, and if a rocket was there, you knew in 18 months they would have a new weapon.
Unfortunately, cyber-threats don’t work like that. We will not be crippled by a piece of malware that’s been circulating for months, much less years. It is going to be something new, something constantly changing. These “advanced persistent threats” or “zero day attacks” are the real problems.
Such threats are not unusually difficult to create and can be unnervingly effective. They can be targeted at one specific organization or even one individual and sit dormant until the time is right to sneak out the desired information.
Those are the kinds of threats we need to spend more energy to protect ourselves from. Fortunately such protections, like “detonation chambers” and other systems that determine if a program is acting in odd ways, already exist. One could also tick off an endless list of other cyber-threats such as counterfeit parts with embedded malware. Let’s not forget, too, that all the safeguards in the world are not going to help if information is shared with someone who does the cyber equivalent of leaving an iPad on the dashboard of an unlocked car.
So are we better off with CISPA as law? Absolutely. Will we be totally secure? Absolutely not. The sad truth is that our adversaries have the ability to stay more than a few steps ahead of us. Given how long it is taking Congress to let us simply dust for cyber-fingerprints, it is clear that we have a long way to go to protect ourselves.
Where do we go from here? I won’t pretend to have the answer, but I do know there is no one solution, because there is no one single threat. Given that, we have to look to dynamic, fast-acting private companies and give them the tools and running room they need to quickly develop new solutions and identify new trends. Such incentives can take the form of liability protection for when defenses don’t work perfectly and safe harbors for reporting when something bad has happened.
At the end of the day, we need CISPA and we need Rogers and Ruppersberger along with Reps. Michael McCaul, R-Texas, Mac Thornberry, R-Texas, and Jim Langevin, D-R.I., Sen. Thomas R. Carper, D-Del., and others to keep fighting the good fight. But we also have to realize that when CISPA crosses the checkered line, it doesn’t mean we can declare a winner. It just means we have completed one lap in a very long race.
Brian Finch is a partner at Dickstein Shapiro LLP and an adjunct law professor at George Washington University Law School.