Technology and politics make strange bedfellows. Rarely do politicians understand the capabilities or nuances of the cyber landscape, and rarely do technologists understand (or care to understand) the compromises of politics. But in a world of cyber espionage and cyber warfare, where technology is as integrated into the fabric of society as utilities and transportation, these two worlds are colliding.
As evidence, we have the Cybersecurity Information Sharing Act (CISA) of 2015, passed by the Senate Select Committee on Intelligence a few weeks ago, followed by the passing of a similar bill, the Protecting Cyber Networks Act (PCNA) passed last week by the House of Representatives Intelligence Committee.
Momentum seems to be gathering at the federal level to pass legislation making it easier for private companies to share information about cybersecurity threats and breaches with the government.
I personally struggle with the privacy implications. Cyber intelligence can include computer names and addresses, user names, emails, websites being visited, and more. While both the Senate and House bills contain provisions regarding privacy and the need to “scrub” data of personal information, it is inevitable and foreseeable that such information will sometimes find its way into the data being shared, and into the hands of intelligence agencies with no role in cyber security.
A number of my colleagues whom I respect sent an open letter to the Senate regarding their concerns about privacy in CISA. This was prior to some recent amendments, but many of their concerns remain.
At the same time, I am an unabashed proponent of information sharing when it comes to cyber threats. Too often, I see companies attacked using techniques that have been known to others in the industry for years; attacks that could be prevented or, at minimum, against which companies could be better prepared—if given the right information. We know that our adversaries are sharing, even buying and selling, cyber intelligence with each other. We need to do a better job sharing ourselves.
While I am naturally skeptical of government, the reality is that we, private citizens and corporations, are under attack by nation-state adversaries. Whether it is North Korea targeting Hollywood for perceived slights, China targeting chemical companies for trademark secrets, or Eastern European entities targeting financial institutions, we are being attacked by foreign organizations left and right. Our government must be a part of the solution. And it must be a two-way street; information cannot simply flow upward to Washington, it must disseminate from Washington as well.
The truth is I don’t know of any wording that would give me confidence that mistakes, intentional or not, won’t be made. Mistakes will happen. And we’ll have to adjust. As with any legislation, the implementation is as important as the wording, and we all should be diligent about keeping pressure on Congress regarding privacy, and about providing the right technology to support sharing while respecting privacy. Both of the current bills are voluntary, meaning it is completely up to a company whether or not they want to share information and, if so, what to share. For some, it may not be a big enough step, but I do see it as a step in the right direction.
In the end, I can’t say whether these bills are tightening the rope on individual privacy, or are simply walking that tight rope between technology and politics. As a technologist, I need to see something more tangible to judge.
Meanwhile, I remain committed to the principle that we need to make it easier to share cyber security information, and I remain optimistic that technology can solve some of the privacy concerns if we set our minds to it.