Here’s a good plan for fixing CISPA. And CISPA needs to be *fixed*, not stopped. We have three alternatives right now:
Secure the Internet
Voluntarily pare back the Internet
Wait for the Internet to fall apart and/or become too dangerous to use anymore
Given the unpleasant side effects of options 2 and 3, option 1 is all that’s left. Otherwise, the Internet will become a weapon of mass destruction. Keeping a hacktivist group or rogue nation from shutting down all gas and electric power in New York City on the coldest day in January is CISPA’s goal.
Besides, the ideas for fixing CISPA make it better. Sanitizing the data that the companies share with the government by dropping all of the PII (personally identifiable information) not only protects consumers, it also protects the companies and the government. The effort and expense involved with safeguarding PII is anything but trivial. There will be some expense involved in building systems to filter the PII, but in the long run, it’s easier, safer, and less expensive.
Systems to sanitize data while allowing the bulk of the data to pass already exist, and the government already buys and uses those types of systems to pass data internally anyway. Those of you who’ve taken a security certification may recall the Bell-LaPadula model. This is a subset of the problem that Bell-LaPadula was designed to solve.
I also worked with a client that solved a problem similar to this with regular expressions and a dirty word list. Depending on the application, messages containing something from the dirty word list were dropped entirely, or the dirty words were dropped. It’s a crude approach, but for this application it worked, and it cost a good 90% less than implementing Bell-LaPadula.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.