I read yet another anti-CISPA piece today. I’m not comfortable trying to read it and decide whether it’s a good or bad piece of legislation, but I do understand the problem it’s trying to solve.
Those who have tried to paint CISPA as the new SOPA or PIPA are misunderstanding the problem CISPA is trying to solve. CISPA isn’t supposed to be about stopping the scourge of teenaged boys using the Internet to copy music and movies. It’s actually chasing something nefarious.
Let me give you an example.
The St. Louis firm Express Scripts discovered several months ago that more than 20,000 pages of sensitive business documents had been stolen from its networks. It traced the leak to one of its business partners and filed a lawsuit.
But sometimes the attack is more sophisticated than that, and harder to crack. A disproportionate number of them are coming from one particular 12-story office building, according to this piece in the New York Times. So, let’s change the scenario a bit. Let’s say Express Scripts notices that 20,000 pages of sensitive material leaked out of its network, and they don’t know why. Let’s say that, meanwhile, Ernst & Young notices something similar has occurred to them as well.
CISPA’s intent is to provide a means for both companies to inform federal authorities of the breach, and then those authorities would then be able to respond and say, “Hey, we see you’re not the only company that this is happening to. Not only that, something similar is happening to us. Here, let’s work together to figure this out and stop it.”
And then, the affected companies and government would be able to pool their data, figure out where the attack is coming from, and collectively build a better defense. And they’ll be able to share information without fear of being prosecuted themselves.
And if, indeed, these attacks are state-sponsored, this would give the U.S. government the data it needs to build its case and respond appropriately–whatever that may mean.
That’s the problem CISPA is trying to solve. Perhaps it needs to be written more explicitly that this is the intent of the bill.
I told several people last month–including a St. Louis-area newspaper reporter, ironically–when U.S. media outlets were being hacked by attackers from overseas that we would hear a lot more about this in coming weeks. Then this happened.
There’s more where this came from, too.