Last week, I had the chance to listen to and speak with Representative Adam Smith of Washington state about cybersecurity legislation at a reception. This year has been pivotal for passing regulations to govern cyber, and attendees of this security event wanted to know his thoughts on the variety of proposed laws. While Rep. Smith didn't say much on any given bill, his take on the most important rule for governing the Internet really resonated with me. In cyber as with medicine, "first, do no harm." While trying to mitigate the risks, ungoverned spaces, and legal ambiguity inherent in technological revolution, what's most important is that the laws and regulations we introduce to protect the Internet don't do more harm than good and ruin what makes the Web so valuable.
This aphorism, borrowed from the Hippocratic oath, is critical right now because this is a pivotal time for the norms, laws, and standards that govern the Internet. Efforts are being made across government to set how the state relates to the new Web and all of the possibilities offered by this generation of information technology. The military is discussing rules of engagement in cyberspace, government agencies are setting policies to get the efficiency benefits of the Internet and mobile while mitigating their risk, and Congress is setting the nation's laws regarding cybersecurity. As both the critics and proponents of these laws have pointed out, whatever Congress passes will have global ramifications because of America's dominant role in cyberspace and the tendency of the rest of the world to adopt the norms we set for the Internet. What does or doesn't get passed isn't just a dry, legal matter, as demonstrated by the protests and testimonies of Internet experts, founders, and thought leaders that eventually stopped PIPA and SOPA.
This week, the House of Representatives begins debate on 4 bills related to cybersecurity, the most prominent and controversial of which is the Cyber Intelligence Sharing and Protection Act (CISPA). CISPA is meant to facilitate information sharing between government and industry, allowing the Intelligence Community to give information to private entities and encouraging companies to share information with the government. The premise, that neither vantage point is sufficient and that each sphere has intelligence that would benefit the other, is valid, but while taking steps to reduce one set of risks from criminals and spies, CISPA increases risks to privacy and civil liberties.
While the exact language of the bill is being ammended and debated, civil liberty groups like the Electronic Frontiers Foundation and the ACLU object to the broad range of information that can be shared and conditions under which it can be exchanged. Initially, intellectual property theft and piracy were included under cybersecurity threats, though those specific terms have since been removed. Still, the information shared does not have to be strictly limited to cybersecurity like vulnerabilities and exploits. In the language of the bill, any business could "use cybersecurity systems to identify and obtain cyber threat information to protect [its] rights and property." CISPA also explicitly allows information sharing to bypass existing privacy and wiretapping laws, and the information used this way is not subject to the Freedom of Information Act, creating a tremendous potential for abuse. Sponsors of the bill have supported amendments to address some of these issues, such as limiting eligible firms to U.S. companies and not, for example, Huawei, narrowing what sort of information can be shared, and only allowing information sharing if a company's networks are under attack, not if it feels its terms of service have been violated.
Though somewhat reassuring, such measures would never have even been proposed were it not for public vigilance and outcry. Given free reign, CISPA, like SOPA and PIPA, could have been a tremendous blow to Internet freedom, which in turn would weaken the Internet as a force for freedom of speech and information as well as efficiency, the very reasons the Web is so valuable. The cure, as Hippocrates would have said, would be worse than the disease. As long as lawmakers don't have a robust understanding of the Internet and cybersecurity and the testimonies of technical experts are marginalized in favor of special interest groups, well-meaning laws and regulations will be proposed that, in an effort to safeguard the net, do damage more serious than the crimes they aim to prevent. Therefore when legislating the future of information technology we must stay committed to "first do no harm" in cybersecurity just as in medicine, so that we maintain a healthy, secure cyberspace.
- Are All CISPA Supporters What They Appear to Be? (ctovision.com)
- Air Force Mobile, CISPA Protests, and More (ctovision.com)
- A CTO Perspective: Consider the Message the Elders of the Internet Have for the U.S. Congress (ctovision.com)