The word CISPA is now an epithet. But prior to it being linked to SOPA and PIPA, the Cyber
Intelligence Sharing and Protection Act had a lot of industry
support. This is because U.S.
companies that are targeted by non-U.S. governments with cyber attacks typically
require government assistance in order to properly analyze and remediate the
intrusions. And yes, it
happens.
As these “Advanced
Persistent Threats” have become more frequent, the need for information
sharing with the U.S. government has increased.
Companies have seen that providing access to logs and even certain
databases has enabled detailed analysis with respect to the information
obtained during these attacks.
Unfortunately, when these databases contain the personal information of
individuals, privacy becomes collateral damage.
Industry support for CISPA, therefore, comes from the desire by
companies to safely navigate privacy regulations while still obtaining the help
of the government.
Others can debate the pros and cons of the Act. My personal opinion is that the applicability
of the Act is too broad for the intended purpose. My purpose in this note is to question what this
means for an individual that is concerned about his or her privacy. For many companies, CISPA is simply legal
cover for activity that is already going on.
With or without CISPA, government agencies are called on to assist with
APT—and because of that, privacy is being compromised.
So,
what does it mean for us? It means we
need to assume that attempts will be made on data in the cloud. We therefore
need to make it as secure as possible. The
best way to do that is to encrypt everything we store in the cloud. And as we have noted above, relying on a cloud
provider to encrypt it for us does not solve the problem. We need to encrypt our data without sharing the
encryption key with our providers.
