BLOG: CISPA and the Myth of Security

The internet is abuzz with warnings about the proposed CISPA legislation - HR 3523.  As with a lot of legislation, this bill is well intentioned, but not helpful.

This particular bill is also emblematic of the confusion and ignorance that pervades conversation about internet issues.

The motivation for this federal legislation is the powerful urge being felt by those who don't understand the internet to have a "coordinated" authority tracking and monitoring "critical infrastructure" that could in theory be damaged or destroyed by a "cyber attack".  Some people believe that if there is no federal agency "regulating", we are vulnerable.

The thrust of CISPA is to allow federal agencies to share information about "cyber threats".  Current law is complex and not entirely clear.  CISPA is 16 pages of provisions allowing certain entities to share certain kinds of information with certain other entities under certain circumstances, other laws notwithstanding.  (It does not directly threaten anyone's privacy, as some suggest)

Is that clear?

First of all, "cyber attacks" are not the big mushroom-cloud events that you see in the movies.  They take the form of hundreds or thousands of attempts to guess your password, or generating ill-formed requests to a web server, or spewing out "poisoned" packets on the internet.  There are many forms and types, but they are not at all rare.  They are as common as mosquitoes.  I have  many thousands of these "attacks" on my computer servers every week.  I have to be careful to monitor my servers to ensure that these "attacks" are not successful.  That is part of my job, and there is absolutely nothing that the federal government can or should do to fix it.

Secondly, the idea that information sharing and monitoring by federal agencies will prevent the "next big cyber attack" is silly.  It's much like the idea that the folks at the SEC can prevent the stock market from crashing.  No one is that smart.  The hackers who launch these attacks are like the mosquitoes.  They are everywhere, and constantly probing for weaknesses.  We may as well pass a federal law banning shoplifting.

Like shoplifting, "cyber attacks" are a fact of life in a world with worldwide anonymous connectivity.  Like shoplifting, it is the responsibility of each computer owner, administrator, or manager to take appropriate steps to ensure that important data is secure.  There is an entire industry segment devoted to anti-virus and security issues.  PC security software is widely available.  This is not a crisis, nor even a major problem.  It is part of the price we pay for internet freedom.

There are places in the world where shoplifting is rare.  In those places, merchants keep customers in the lobby behind a fence, and if the customers want to see an item, the item is brought from the back room, and shown to the customer.  The customer is only permitted to actually touch the item under close supervision.

In the same way, computers can be put behind a screen, and users permitted access only under tight supervision.  This has been tried by certain repressive regimes.

General Douglas MacArthur said: "There is no security in this life, only opportunity". We must stop turning to government to solve every problem - real or imagined, as though we can somehow achieve ultimate security.  The internet is not "broken", and all the federal "oversight" in the world will not "fix" it.  I, for one, do not want the federal government to even try.