President Obama To Encourage Cybersecurity Information Sharing, Highlighting Why We Don't Need CISPA

from the don't-destroy-privacy-in-the-name-of-cybersecurity dept

There’s a big “White House Cybersecurity Summit” down the road at Stanford today, where the President will release the details of a new executive order promoting “a framework for sharing information about cyber threats” which the administration hopes will lead organizations to better protect their data from malicious hacks.


The new executive order encourages businesses to form “information sharing and analysis organizations,” or ISAOs, which would gather data about hacking attacks and share it with companies and the government.

And, of course, a bunch of companies are going to announce that they’re doing just that:


A number of companies will announce Friday that they are incorporating the administration’s cybersecurity framework, which was created after a 2013 executive order, into their companies. The framework helps businesses decide how to use cybersecurity investments, ways to implement cybersecurity for new companies and measure their programs against others. Intel, Apple and Bank of America use framework and will announce that they will require all vendors to use it. Both QVC and Walgreens will say they will employ the framework in their risk management practices, while Kaiser Permanente will commit to using it as well.

Of course, if you’ve been following the big fights over the past few years on cybersecurity legislation, you’ll know that such “information sharing” has been a key component in most of the proposed bills, none of which have become law. Most of the bills have focused on one key thing: giving companies liability protection, so that they can’t be sued over the information they share. From the beginning, however, we’ve asked a pretty simple question that no one has answered: what is currently preventing companies from sharing such threat information?

The answer, as reinforced by this move today by the White House, is absolutely nothing. Companies can (and in some cases already do) share “threat” information, and having them do so in a more organized fashion to prevent malicious attacks is, in fact, a good idea. What’s not needed is a law that basically gives blanket immunity for companies to share almost any information to any government agency. That’s been the problem with CISPA, CISA and similar bills: they’re not about truly making information sharing about threats easier, since that can be done already. They’re about giving blanket cover for companies to share even more information with government agencies such as the NSA.

With this new executive order and companies adopting the suggested framework, many of the “benefits” backers of cybersecurity legislation talk about will happen without the need for any new legislation. True threat information can be shared and companies can get wiser about protecting their information. But it doesn’t give them blanket immunity if they start handing over other information to the government for other purposes, such as surveillance. That’s important.

Yes, working together to prevent the growing number of online attacks is important. But that should never be used as a backdoor process to enable greater surveillance. Doing it this way, rather than by passing a questionable law, seems like a much more reasonable first step.

Filed Under: , , , , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “President Obama To Encourage Cybersecurity Information Sharing, Highlighting Why We Don't Need CISPA”

Subscribe: RSS Leave a comment
9 Comments
That One Guysays:

It’ll be interesting to see how the supporters of the CISPA-type bills will react to this. After all, if companies are already sharing threat information, then that would seem to remove a pretty large chunk of the justification for the bill(s) they’re pushing.

Of course I hardly expect honesty from the likes of those fear-mongers, so really the question is how they’ll change their ‘the terrorists are going to get us all!’ scare tactics after something like this.

Anonymoussays:

They need to specify EXACTLY what information is shared……..since this is a hack threat, exploits would be one of those definitions, information belonging to an individual would not

Im curious about the details to this, i like the idea of what is being said, its just i dont know, if what is being said is actually what is being proposed…….once shy, twice burnt

What i like, or what appears to be being said, a recognition that DEFENSIVE security is in the, for lack of a better description, in the limelight……..and more devs might actually start taking this into account when programming

Anonymoussays:

Re: Re:

It’s more about who watches the watchman, imho.

While a rule like

#by stillsecure
#
alert http $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:”ET WEB_SPECIFIC_APPS Campsite article_id Parameter UNION SELECT SQL Injection Attempt”; flow:established,to_server; content:”GET”; http_method; content:”/plugins/campsiteattachment/attachments.php?”; nocase; http_uri; content:”article_id=”; nocase; http_uri; content:”UNION”; nocase; http_uri; content:”SELECT”; nocase; http_uri; pcre:”/UNION.+SELECT/Ui”; reference:url,secunia.com/advisories/39580/; reference:url,doc.emergingthreats.net/2011217; classtype:web-application-attack; sid:2011217; rev:5;)

is great to catch people trying to take out your database on a web server, but if I’m pen testing my dedicated server and set off this alert than that was the whole point. Are responsible netizens now going to be punished for improving security? The government already tries to throw the book on whitehat’s, so I have a hard time justifying their involvement other than as another bystander in an open database of publicly available information.

John Fendersonsays:

Re: Re: Re:

“It’s more about who watches the watchman, imho”

And the more power the watchman has, the more important this becomes. But make no mistake, “watching the watchers” is really just a fallback defensive position. It would be better if the watchers were much more restricted in what they can watch.

However, as I’ve said before, if we’re going to have ubiquitous surveillance (as current seems to be the case), then it really needs to be an omnopticon rather than a panopticon.

Seegrassays:

paradigm shift

Unless the mission is

Eliminate all vulnerabilities, making everyone more secure

and not

Hoard or produce vulnerabilities to attack adversaries, making EVERYONE less secure

Nobody is going to trust these agencies. They won’t even trust each other, because this second case means agencies like the NSA is deliberately putting others like the DOA or the DEA or even the DOD at risk. Since the more people know (and need to know) details of these issues, they will inevitably leak, making them useless to attack anyone.

So it’s pretty much a given the NSA won’t tell the companies managing the power grid, since then the information would basically be public. And of course with not telling them, they put the power grid at risk.

Unless there’s a paradigm shift within these agencies, NOBODY can trust them.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
13:40 It's Great That Winnie The Pooh Is In The Public Domain; But He Should Have Been Free In 1982 (Or Earlier) (35)
12:06 Norton 360 Now Comes With Crypto Mining Capabilities And Sketchy Removal Process (28)
10:45 Chinese Government Dragnet Now Folding In American Social Media Platforms To Silence Dissent (14)
10:40 Daily Deal: The 2022 Ultimate Cybersecurity Analyst Preparation Bundle (0)
09:29 A Fight Between Facebook And The British Medical Journal Highlights The Difficulty Of Moderating 'Medical Misinformation' (9)
06:29 Court Ruling Paves The Way For Better, More Reliable Wi-Fi (4)
20:12 Eighth Circuit (Again) Says There's Nothing Wrong With Detaining Innocent Minors At Gunpoint (15)
15:48 China's Regulatory War On Its Gaming Industry Racks Up 14k Casualties (10)
13:31 Chinese Government Fines Local Car Dealerships For Surveilling While Not Being The Government (5)
12:08 Eric Clapton Pretends To Regret The Decision To Sue Random German Woman Who Listed A Bootleg Of One Of His CDs On Ebay (29)
10:44 ICE Is So Toxic That The DHS's Investigative Wing Is Asking To Be Completely Separated From It (29)
10:39 Daily Deal: The 2022 Complete Raspberry Pi And Arduino Developer Bundle (0)
09:31 Google Blocked An Article About Police From The Intercept... Because The Title Included A Phrase That Was Also A Movie Title (24)
06:22 Wireless Carriers Balk At FAA Demand For 5G Deployment Delays Amid Shaky Safety Concerns (16)
19:53 Tenth Circuit Denies Qualified Immunity To Social Worker Who Fabricated A Mother's Confession Of Child Abuse (35)
15:39 Sci-Hub's Creator Thinks Academic Publishers, Not Her Site, Are The Real Threat To Science, And Says: 'Any Law Against Knowledge Is Fundamentally Unjust' (34)
13:32 Federal Court Tells Proud Boys Defendants That Raiding The Capitol Building Isn't Covered By The First Amendment (25)
12:14 US Courts Realizing They Have A Judge Alan Albright Sized Problem In Waco (17)
10:44 Boston Police Department Used Forfeiture Funds To Hide Purchase Of Surveillance Tech From City Reps (16)
10:39 Daily Deal: The Ultimate Microsoft Excel Training Bundle (0)
09:20 NY Senator Proposes Ridiculously Unconstitutional Social Media Law That Is The Mirror Opposite Of Equally Unconstitutional Laws In Florida & Texas (25)
06:12 Telecom Monopolies Are Exploiting Crappy U.S. Broadband Maps To Block Community Broadband Grant Requests (7)
12:00 Funniest/Most Insightful Comments Of 2021 At Techdirt (17)
10:00 Gaming Like It's 1926: Join The Fourth Annual Public Domain Game Jam (6)
09:00 New Year's Message: The Arc Of The Moral Universe Is A Twisty Path (33)
19:39 DHS, ICE Begin Body Camera Pilot Program With Surprisingly Good Policies In Place (7)
15:29 Remembering Techdirt Contributors Sherwin And Elliot (1)
13:32 DC Metro PD's Powerful Review Panel Keeps Giving Bad Cops Their Jobs Back (6)
12:11 Missouri Governor Still Expects Journalists To Be Prosecuted For Showing How His Admin Leaked Teacher Social Security Numbers (39)
10:48 Oversight Board Overturning Instagram Takedown Of Ayahuasca Post Demonstrates The Impossibility Of Content Moderation (10)
More arrow
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it