With the passage of the Cyber Intelligence Sharing and Protection Act by the House, Congress has taken a very important step to increase the nationís cybersecurity posture. But letís remember something critical ó itís just one step.
CISPA has been the subject of intense debate about whether it will adequately protect personal information. While respecting the concerns of the privacy community, the simple fact is that when it comes to protecting the nation from cyberattacks, the government has better things to do than sift through electronic noise for juicy personal information.
Whatís far more damaging is that the ponderous privacy debate has prevented the government and the private sector from doing something simple: telling each other what viruses, malware and other bad cyber-weapons look like. Realistically, all Intelligence Chairman Mike Rogers, R-Mich., and ranking member C.A. Dutch Ruppersberger, D-Md., have been attempting is to give the government the ability to create an identification database for known cyber-threats. Depriving the government of the ability to share that information is tantamount to telling the FBI that it can publish a ď10 Most WantedĒ list, but only if no names or descriptors are used.
Letís assume, though, that CISPA or a version thereof actually makes it into law. With that good information-sharing program in place, will we be materially better off against cyber-threats?
Sadly, nope, we wonít.
Donít get me wrong ó robust information-sharing will be quite helpful against cyber-threats. The problem is that the known threats are not what we should be most concerned about: it is the new ones, the ones we never saw coming.
Cold Warriors like to say they miss they Soviets ó they were predictable. You flew a satellite over a missile range, and if a rocket was there, you knew in 18 months they would have a new weapon.
Unfortunately, cyber-threats donít work like that. We will not be crippled by a piece of malware thatís been circulating for months, much less years. It is going to be something new, something constantly changing. These ďadvanced persistent threatsĒ or ďzero day attacksĒ are the real problems.
Such threats are not unusually difficult to create and can be unnervingly effective. They can be targeted at one specific organization or even one individual and sit dormant until the time is right to sneak out the desired information.
Those are the kinds of threats we need to spend more energy to protect ourselves from. Fortunately such protections, like ďdetonation chambersĒ and other systems that determine if a program is acting in odd ways, already exist. One could also tick off an endless list of other cyber-threats such as counterfeit parts with embedded malware. Letís not forget, too, that all the safeguards in the world are not going to help if information is shared with someone who does the cyber equivalent of leaving an iPad on the dashboard of an unlocked car.
Following the speeches from elected officials, the crowd stands at long tables as they dig into BBQ, brunswick stew, cadillac rice at the Law Enforcement Cookout at Wayne Dasher's pond house in Glennville, Ga., on Thursday, April 17, 2014.