Cybersecurity Executive Order Shows Why CISPA Is Not Needed
Last week, the Obama Administration released an Executive Order on network and Internet security, also known as "cybersecurity," for critical infrastructure and other companies. The order shows how largely unnecessary CISPA is and should encourage users to oppose the privacy-invasive cybersecurity bill.
CISPA's aim is to facilitate the sharing and knowledge of network threats between private companies and the government. The bill's authors argue that companies must be given expanded spying powers and broad legal immunities in order for this sharing to occur. But the Executive Order encourages such sharing without the massive faults of CISPA.
The Executive Order has two core components. First, the order directs the National Institute for Standards and Technology (NIST) to create a "Cybersecurity Framework." Any company defined under the Executive Order can join. The Framework will notify companies about standards to protect against threats and about procedures to fix Internet threats.
More importantly, the Executive Order enhances the already existing information-sharing program known as the Enhanced Cybersecurity Services Program (ECS). The aim of ECS is similar to CISPA: ECS allows companies to share technical information, like attack signatures, with the government and each other to defend against Internet threats. Originally, the program was run by the Department of Defense (DOD) and only involved military subcontractors and companies that worked with DOD. Starting last month, control of ECS shifted to the Department of Homeland Security (DHS). The Executive Order will expand the program to critical infrastructure companies, like private electric grid companies, and all other companies because it defines eligible companies as any public or private company that "transports information electronically."
The Executive Order also ensures greater privacy protections than CISPA. The order requires agencies to consult with its privacy officers and incorporates the Fair Information Practices and Standards (FIPS) into ECS activities. The FIPS is a privacy framework addressing minimization requirements, the proportional use of personal information, and other rules around sensitive personal information. ECS data includes strictly technical information like domain names, malware files, and malware signatures. All unrelated personally identifiable information (PII) must be minimized when PII is sent. ECS will initially focus on two actions: providing companies with information about threats to redirect any malicious connection on their network and providing information about threats to filter emails that contain malware. All of this is done while ensuring good privacy protections.
Aside from the order, companies already can—and do—share critical threat information with each other under existing privacy laws. In 2010, when Google discovered malware targeting human rights activists, Google noted that it was notifying other companies from the finance, technology, and media sectors that were infected. Earlier this month, ArsTechnica's report on the recent Facebook hack showed that Facebook not only shared the signature and forensic data of the attack with other companies, but was also willing to speak openly about its sharing activities. And just last week, Mandiant's report on Chinese hacking showed the tremendous amount of information companies and Internet security providers can share.
EFF will be watching how the Executive Order is implemented, but one thing is clear: while some may downplay the Executive Order's importance, it addresses the core aim of CISPA without granting expansive powers to companies or broad legal immunity.