The country is vulnerable without CISPA

While some worry about privacy in a proposed cyber intelligence law, they should be worried about attacks.

The uninterrupted operation of our nation's infrastructure is vital to our physical and economic security and our lives. It monitors generators producing power; controls valves that allow gas or oil to flow from well to refinery to pump; manages air, rail, and road traffic; and enables banks to process credit card transactions and business activities nationally and internationally.

In 2011, Rep. Mike Rogers, a Michigan Republican and then chair of the House's Permanent Select Committee on Intelligence, put forward a bill called the Cyber Intelligence Sharing & Protection Act (CISPA). It was meant to allow for information sharing between the private sector and U.S. government as a means to ward off cyber attacks that could cripple the country's infrastructure. But civil liberties groups and others roundly criticized the bill for its lack of provisions to protect privacy. The 2011 bill was amended, and in spite of passing the House in 2012 and 2013, it never passed the Senate; both bills died after referral to the Senate Select Committee on Intelligence.

Congressman C.A. Dutch Ruppersberger, a Maryland Democrat, last month reintroduced the 2013 version of bill, saying "we must stop dealing with cyber attacks after the fact." He pointed to North Korea's recent attack on Sony Pictures, which "cost the company millions of dollars." Still, Internet privacy advocates and other critics are again viewing the bill as unfettered license for the government to collect private information at will.

They are wrong.

This bill, and the two versions passed by the House before it, do not authorize broad and unnecessary data collection, and the professionals in the intelligence community have no interest in such power.

The current CISPA bill requires the government to "reasonably limit the receipt, retention, use, and disclosure of cyber threat information associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner." It also allows for monitoring by Congress, the Privacy and Civil Liberties Oversight Board and others, as well as specific language prohibiting intelligence agencies from using CISPA to expand surveillance of U.S. persons beyond existing law.

CISPA also contains language prohibiting the Department of Defense, intelligence community and specifically the National Security Agency from any attempt to "control, modify, require, or otherwise direct the cyber security efforts of a private-sector entity or a component of the Federal Government or a State, local, or tribal government."

Moreover, NSA Director and Commander of U.S. Cyber Command, Admiral Michael S. Rogers, told the House Permanent Select Committee on Intelligence that NSA does not want to gather private information in pursuit of critical infrastructure defense and that NSA does not want to be plugged into private sector networks — actions contrary to NSA's authorized foreign intelligence and information assurance missions.

He also stated that he wants a public discussion with the private sector about exactly what information NSA or U.S. Cyber Command would receive under CISPA. That public dialogue, along with CISPA's oversight requirements and the existing set of controls over intelligence activities already in place, should serve as a source of reassurance for the American public that CISPA authorities will be respected, and not exploited.

Beyond these privacy protections, the bill authorizes the government to provide classified cyber threat information to appropriately cleared members of private industry, which will help mitigate cyber threats against our critical infrastructure.

While nothing will silence critics who view all government activities in the most cynical light, CISPA in its current form appears to be a good legislative solution to a problem of vital interest to our nation, and it has languished for more than three years in Congress.

Every day that passes without this law is one more day that cyber-criminals and hackers, supported by nation-states or operating as a hired-guns for terrorist organizations, will have the ability to shut off your drinking water; turn off the power to your home or business; cause chaos in the sky, roads, or rails; shut down American industries or companies; or cripple our ability to defend ourselves against attack.

Tom Wither is the author of the military intelligence thrillers "The Inheritor" and "Autumn Fire" (Turner Publishing) and a 25-year veteran of the intelligence community. The views and opinions expressed are his own. His email is Tom@TomWither.com.

Copyright © 2017, The Baltimore Sun, a Baltimore Sun Media Group publication | Place an Ad
37°