With the passage of the Cyber Intelligence Sharing and Protection Act by the House, Congress has taken a very important step to increase the nation’s cybersecurity posture. But let’s remember something critical — it’s just one step.
CISPA has been the subject of intense debate about whether it will adequately protect personal information. While respecting the concerns of the privacy community, the simple fact is that when it comes to protecting the nation from cyberattacks, the government has better things to do than sift through electronic noise for juicy personal information.
What’s far more damaging is that the ponderous privacy debate has prevented the government and the private sector from doing something simple: telling each other what viruses, malware and other bad cyber-weapons look like. Realistically, all Intelligence Chairman Mike Rogers, R-Mich., and ranking member C.A. Dutch Ruppersberger, D-Md., have been attempting is to give the government the ability to create an identification database for known cyber-threats. Depriving the government of the ability to share that information is tantamount to telling the FBI that it can publish a “10 Most Wanted” list, but only if no names or descriptors are used.
Let’s assume, though, that CISPA or a version thereof actually makes it into law. With that good information-sharing program in place, will we be materially better off against cyber-threats?
Sadly, nope, we won’t.
Don’t get me wrong — robust information-sharing will be quite helpful against cyber-threats. The problem is that the known threats are not what we should be most concerned about: it is the new ones, the ones we never saw coming.
Cold Warriors like to say they miss they Soviets — they were predictable. You flew a satellite over a missile range, and if a rocket was there, you knew in 18 months they would have a new weapon.
Unfortunately, cyber-threats don’t work like that. We will not be crippled by a piece of malware that’s been circulating for months, much less years. It is going to be something new, something constantly changing. These “advanced persistent threats” or “zero day attacks” are the real problems.
Such threats are not unusually difficult to create and can be unnervingly effective. They can be targeted at one specific organization or even one individual and sit dormant until the time is right to sneak out the desired information.
Those are the kinds of threats we need to spend more energy to protect ourselves from. Fortunately such protections, like “detonation chambers” and other systems that determine if a program is acting in odd ways, already exist. One could also tick off an endless list of other cyber-threats such as counterfeit parts with embedded malware. Let’s not forget, too, that all the safeguards in the world are not going to help if information is shared with someone who does the cyber equivalent of leaving an iPad on the dashboard of an unlocked car.