The Other Problem With CISPA: The US Can’t Handle the Data

What's to come?
May 1 2012 11:24 AM

Why the Government Can’t Remain the Cybersecurity Czar

CISPA doesn’t just violate digital privacy. It will flood the U.S. government with more data than it can handle.

Rep. Mike Rogers.
Rep. Mike Rogers, chairman of the House Permanent Select Committee on Intelligence and author of CISPA

Photograph by Tom Williams/Roll Call.

Last week, the controversial cybersecurity bill known as the Cyber Intelligence Sharing and Protection Act passed the House of Representatives. CISPA, which would provide a mechanism for the government and private companies to share information regarding cyberthreats, has the support of hundreds of companies. However, civil liberties organizations including the Center for Democracy and Technology, the Electronic Frontier Foundation, and the ACLU are strongly (and justifiably) opposed to the bill on privacy grounds. For example, CISPA could allow companies to give private communications such as emails to the government, with no judicial oversight, if they contain what is deemed to be “cyber threat information.” The White House has threatened to veto the bill, expressing concern over its lack of “privacy, confidentiality, and civil liberties safeguards.”

Depending on whom you ask, cyberwar is either the “next threat to national security,” as the book by Richard Clarke and Robert Knake was titled, or “more hype than hazard,” as Thomas Rid of Kings College recently wrote in Foreign Policy.

But set aside the debate over how serious a threat cyberwar may be and the question of how to ensure security without sacrificing individual privacy. Instead, let’s focus on a fundamental technological shift that has occurred while most of us weren’t looking: Over the last decade or so, thoroughly analyzing the world’s data to identify potential cyberthreats has gone from difficult to impossible. The volume of digital information has become far too large.

This shift completely redefines the cybersecurity problem. When the task of finding cyberthreats was merely becoming more difficult, it was always possible to respond by getting a bigger budget, buying more computers, and hiring more analysts. But the old solutions don’t scale any more. The idea underpinning CISPA—that the government should sit at the center of the cybersecurity universe, collecting all of the information about cyberthreats, analyzing it, and dispensing solutions—will no longer work. There are too many data. The government can be an essential supporting actor in the effort to secure American networks and to prevent intellectual property theft. But it can’t, and shouldn’t try to be, the orchestra conductor.

According to the EMC-sponsored 2011 IDC Digital Universe Study, 1.8 trillion gigabytes of data were created or replicated in 2011—an amount that IDC described as equivalent to “every person in the world having over 215 million high-resolution MRI scans per day.” Cisco has projected that by 2015, 1 million minutes of video will cross global networks every second, and that there will be twice as many networked devices as there are people in the world.

Who is capable of thoroughly analyzing all of that traffic—or at least the subset that passes through American networks and companies—to identify potential cyberthreats against the United States? No one. Not the U.S. government. Not companies working with the government. It is simply not possible.

There are plenty of specific domains in which the amount of data has remained more manageable—think the power grid, the financial system, the government’s internal networks, and the plumbing that underpins mobile phone systems. The government has a legitimate and vital role to play in securing critical infrastructure. This was recognized by the sponsors of the recently introduced Cybersecurity Act of 2012, a Senate alternative to CISPA that aims specifically to “enhance the security and resiliency of the cyber and communications infrastructure of the United States.”

But when it comes to personal and corporate emails, social network postings, online purchases, Internet browsing, and other features of the broader American digital ecosystem, the government’s role must be less central. To put companies in a better position to identify and respond to cyberattacks, the proper direction for most information to flow is away from the government, not toward it. The government can furnish valuable guidance to companies regarding cybersecurity threats. And, to be fair, CISPA does indeed provide a framework for this to occur.

The concerns with CISPA relate to how it handles the flow of “cyber threat information” in the other direction, from companies to the government. The legislation contains a blanket exemption from liability as long as company decisions regarding what to share with the government are made in “good faith.” This will encourage companies to adopt an overly broad interpretation of “cyber threat” and inundate the government with more data than it can likely handle—and much of the information will have little or no cybersecurity value.

It doesn’t have to be this way. Instead, we can safeguard privacy while creating a much more manageable way to assess potential threats. Companies should certainly be able to share properly anonymized data with the government about the types of attacks they are experiencing. The government, in turn, can help to distribute information about those attacks to companies across the American cybersecurity ecosystem, some of which will be able to quickly and cost-effectively identify appropriate defenses. And, in the rare instances when there is a genuine need for the government to access private data in the interest of maintaining the nation’s cybersecurity, appropriately transparent judicial oversight mechanisms should be used.

However, asking Americans to become part of a centralized, paternalistic, “trust us with your personal data” approach, as CISPA would do, makes little technological sense given the complexity and growth trends of today’s digital networks, systems, and services.

The days when the government could effectively be the cybersecurity czar for all of digital America are gone. And, legislation or not, those days aren’t coming back. The proper cybersecurity strategy is one that is both agile and distributed—just like many of the threats it will need to counter.

This article arises from Future Tense, a collaboration among Arizona State University, the New America Foundation, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, visit the Future Tense blog and the Future Tense home page. You can also follow us on Twitter.

TODAY IN SLATE

Foreigners

More Than Scottish Pride

Scotland’s referendum isn’t about nationalism. It’s about a system that failed, and a new generation looking to take a chance on itself. 

What Charles Barkley Gets Wrong About Corporal Punishment and Black Culture

Why Greenland’s “Dark Snow” Should Worry You

Three Talented Actresses in Three Terrible New Shows

Why Do Some People See the Virgin Mary in Grilled Cheese?

The science that explains the human need to find meaning in coincidences.

Jurisprudence

Happy Constitution Day!

Too bad it’s almost certainly unconstitutional.

Is It Worth Paying Full Price for the iPhone 6 to Keep Your Unlimited Data Plan? We Crunch the Numbers.

What to Do if You Literally Get a Bug in Your Ear

  News & Politics
Weigel
Sept. 16 2014 7:03 PM Kansas Secretary of State Loses Battle to Protect Senator From Tough Race
  Business
Moneybox
Sept. 16 2014 4:16 PM The iPhone 6 Marks a Fresh Chance for Wireless Carriers to Kill Your Unlimited Data
  Life
The Eye
Sept. 16 2014 12:20 PM These Outdoor Cat Shelters Have More Style Than the Average Home
  Double X
The XX Factor
Sept. 15 2014 3:31 PM My Year As an Abortion Doula
  Slate Plus
Slate Plus Video
Sept. 16 2014 2:06 PM A Farewell From Emily Bazelon The former senior editor talks about her very first Slate pitch and says goodbye to the magazine.
  Arts
Brow Beat
Sept. 16 2014 8:43 PM This 17-Minute Tribute to David Fincher Is the Perfect Preparation for Gone Girl
  Technology
Future Tense
Sept. 16 2014 6:40 PM This iPhone 6 Feature Will Change Weather Forecasting
  Health & Science
Medical Examiner
Sept. 16 2014 11:46 PM The Scariest Campfire Story More horrifying than bears, snakes, or hook-handed killers.
  Sports
Sports Nut
Sept. 15 2014 9:05 PM Giving Up on Goodell How the NFL lost the trust of its most loyal reporters.