CISPA isn't 'son of SOPA'

Stewart A. Baker
Politico
April 24, 2012

Earlier this year, the two of us, from very different backgrounds, joined together to oppose the Stop Online Piracy Act (and its Senate version, PROTECT IP). With a growing Internet security crisis, we agreed that SOPA would undermine Domain Name System Security Extensions, a critical security protocol for making trust work on the global scale.

We may have thrown some of the first stones, but SOPA was ultimately buried by an avalanche of criticism. Tumblr, Reddit and Wikipedia, among others, even protested by taking their sites down for a day. The effect was not subtle. SOPA is dead.

They say victory has a hundred fathers. It also has a hundred would-be sons — and “son of SOPA” campaigns have proliferated. In Europe, for example, SOPA’s defeat inspired a surprisingly successful effort to block the Anti-Counterfeiting Trade Agreement.

Here in the United States, though, the debate has taken an odd turn. After stopping a bill that would have undermined cybersecurity, some Internet activists are now targeting bills that could actually make the Internet safer. They’re charging that bills like the Cyber Intelligence Sharing and Protection Act represent stealth attempts to resurrect SOPA under the guise of promoting cybersecurity.

There are ways to address this concern, but we must remember the bigger privacy and civil liberties threat: the Internet’s insecurity. All our networks are under attack.

It would be comforting to dismiss such claims as empty hyperbole — a mix of fear, uncertainty and doubt. But after years of working with Fortune 500 firms to secure their operations and products, the two of us have little doubt that our country faces a genuine cybersecurity crisis — and the status quo isn’t going to get us out of this fix.

We’re seeing an alarming crescendo of network attacks on government, businesses and citizens. We’ve lost state secrets, defense technologies, billions of dollars in commercial research and development, and our personal information to an assortment of cyber spies, cyber crooks and hacktivists.

And we’ve not seen the worst of it. Chances are that sometime in the future someone will use our vulnerability not to steal secrets but to cause harm. Maybe they’ll bring down the power grid, maybe they’ll sabotage key military technology or maybe they’ll just wreak havoc in our financial system.

Without security, no network offers privacy. A hacked database offers no protection.

Part of the solution is to get better at sharing information. That means sharing attack signatures at light speed so as soon as a new attack vector is identified by one company, it can be blocked by others. Government needs to be part of that system — it has a lot to defend and it’s pretty good at identifying signatures.

But under current law, once the government shows up to receive information, private-sector participation slows from the speed of light to the speed of lawyers. Current law lets companies share information with the government without a court order only to protect their own networks against malware, but not to protect others.

We can do better than this. Very few of CISPA’s opponents disagree with the need for better security and faster information sharing.

In any event, CISPA’s provisions are different from SOPA’s. CISPA would not create any new authorities to filter content or take down websites. And unlike SOPA, which would have given the attorney general power to compel private action, CISPA would be entirely voluntary. And the House Permanent Select Committee on Intelligence has partially addressed concerns by dropping all reference to intellectual property.

To put it in terms that Washington remembers:We knew SOPA, we fought SOPA, and CISPA is no SOPA.

In short, we need to fix CISPA, not fight it. We can all agree that if Facebook reports that a link has been used to propagate malware, the government should expend its resources to warn users and foil the attack, not issue notices of potential copyright violations about the link.

But it isn’t that hard to write language explicitly excluding IP enforcement from the permissible uses for CISPA information. As with posse comitatus, which draws a sharp distinction between using the military to defend the nation and using police to enforce the law, cybersecurity legislation needs to focus on protecting users, not prosecuting them.

Dan Kaminsky initiated the largest Internet security fix. One of seven Recovery Key Shareholders for the Domain Name System, he is chief scientist at security firm DKH. Stewart Baker, a partner at Steptoe & Johnson, has served as general counsel at the National Security Agency and assistant secretary for policy at the Department of Homeland Security.

© 2012 POLITICO LLC