The term “cybersecurity” has long been a comically ubiquitous utterance in Washington. But recent proposals from Congress, the White House and the intelligence community are straining the word’s meaning to dubious ends, Joshua Kopstein, a cyberculture journalist and researcher, wrote for Al-Jazeera.
For most Americans, cybersecurity is the protection we desperately need in response to the dwindling separation between our physical and digital lives. Two-thirds of Americans now carry pocket-size computers full of intimate data that are connected to the Internet at all times, and cars, refrigerators and thermostats are not far behind. After a year of high-profile hacks — from the crippling compromise of Sony Pictures to major intrusions at Target, Home Depot and most recently the health insurance giant Anthem — who would say no to cybersecurity?
But D.C.’s cybersecurity rhetoric is a political smokescreen. Though based on real threats, its purpose is to rally support for sweeping policies such as the Cyber Information Sharing Act (CISA), Congress’ latest attempt at cybersecurity legislation, that merely enable more surveillance.
Redundant and Ineffective
What CISA proposes is nothing new; in fact, it’s the same controversial plan that members of Congress have been pushing for years. Rather than protect average Americans’ data by creating liability for companies that fail to follow standards or investing in better security technologies, the bill would establish a system in which private companies share threat information with the government, including personal information collected from users. The many previous versions of this sharing program have been called a privacy nightmare, and the current iteration is pretty much a carbon copy. It allows private companies to share any information deemed to be an indicator of a cyberthreat (called a signature) — free of liability and without any guarantee that a review process has taken reasonable steps to remove personal information beforehand.
How, exactly, would this improve cybersecurity? Perhaps unsurprisingly, the logic is almost identical to that of the US government’s counterterrorism strategy. The thinking goes that if the government and the private sector were able to more quickly and easily share cyberthreat information, they could learn about the attackers’ tools and techniques, respond to breaches faster and perhaps even deter attacks. But experts overwhelmingly agree that such information sharing would be redundant and ineffective.
In a Feb. 25 Christian Science Monitor poll of top cybersecurity thinkers, 87 percent said that information sharing would not significantly reduce data breaches.
Jeff Moss, a member of the White House’s Homeland Security Advisory Council and the founder of the hacker conference Def Con, had a similar response to the poll, saying, “Information sharing allows better and faster Band-Aids but doesn’t address the core problem.” Geer said, “The big data breaches are so often the result of not paying attention by the victim.”
If the US government really wants to protect Americans from security breaches, why does it coddle giant corporations when they are hacked instead of enforce stricter security practices and hold companies liable when they unnecessarily put their customers at risk?
Privacy at Risk
So far, the only proposal in Washington that puts corporations on the line is found in a separate cybersecurity plan, presented by President Barack Obama during the State of the Union, that would establish a mandatory 30-day disclosure deadline for announcing data breaches, ensuring customers will be informed promptly if their information is compromised. That plan also puts forth new rules protecting the data of students using apps and online services in classrooms.
These are good first steps. But it’s hard to believe that Obama is really committed to improving cybersecurity when parts of his administration are working to undermine it.
Let’s not be fooled: “Cybersecurity” measures such as CISA and mandatory backdoors are about surveillance, not security. We’re not going to become more secure simply by letting the FBI and NSA spy on everything. If the government wants to get serious about cybersecurity, it should be funding security researchers, establishing best practices and cracking down on companies that leave their customers vulnerable. Creating more methods for collecting data only puts our privacy and security at risk.
