Contact Information

cybersecurityrss

CISPA: ‘Devil Is in the Details’ of Cybersecurity Bill, UB Law Professor Says

expert photo
EXPERT CONTACT :

Mark Bartholomew

Associate Professor of Law

University at Buffalo School of Law

716-645-5959

bartholo@buffalo.edu

Bartholomew is an expert in intellectual property and cyber law. Here, he comments on the Cyber Intelligence Sharing and Protection Act (CISPA), a controversial cybersecurity bill pending in Congress.

On the intent of CISPA:
“The basic thought behind CISPA is to enable corporations holding personal online data to share it with the federal government when necessary to prevent a national security threat.”
On why CISPA could raise serious privacy concerns:
“I think CISPA is a good idea, but the devil is in the details. Right now, the language of the proposed act calls for sharing of online data when it is needed to help prevent a ‘cyber threat.’ The real question is how do you define 'cyber threat?'
“I do not want that definition of ‘cyber threat’ to be satisfied except in extraordinary circumstances. There are serious privacy concerns at stake, and personal online data should only be shared with the Feds when it really is needed to prevent a national threat.”
On the difference between CISPA and SOPA, a previous cybersecurity bill that sparked significant protest among consumers:
“SOPA (the Stop Online Piracy Act) was designed to prevent intellectual property infringement, not threats to national security. SOPA was about giving intellectual property-holders and the government the right to shut down infringing websites -- for example, stopping foreign websites that allowed you to watch bootleg copies of Hollywood movies. CISPA addresses a different issue: when is it acceptable for companies to turn over your personal online information to the Feds.”
Why some tech companies like CISPA:  
“It is important to note that the legislation does NOT require companies to turn over your online data to the government. It just allows companies to do so when that definition of cyber threat has been satisfied.
“Companies like Facebook like this proposed law because it gives them legal cover if they turn over personal information and then someone tries to sue them for a privacy violation. They also argue that the legislation will help them coordinate with government agencies and respond to cyber threats to their own platforms more quickly. My big concern is that, if cyber threat is defined too vaguely, it would give the government too great of an ability to snoop through our personal online information.”
On whether CISPA, like SOPA, will spark widespread outrage and protest:
“I don’t know. The online outrage at SOPA was kind of shock to me; usually, pro-intellectual property rights legislation like SOPA just sails through Congress. I think there is definitely the possibility for CISPA to galvanize many in the online community like SOPA did because there are many who do not like the idea of their personal information being shared with others.
“On the other hand, one big force against SOPA was that powerful technology companies like Google and Wikipedia moved against the legislation because they saw it as a threat to their bottom line. Here, I do not know what the corporate constituency is against CISPA. It looks like it is just up to individual citizens (and advocacy groups like the ACLU) to protest if CISPA portends to turn everything into a cyber threat."

Related Q&A: SOPA's Vague Language Could Lead to Wide Restrictions on Information Available on the Internet, UB Expert Says

Related Topics:

CISPA, cyber law, cybersecurity, Internet, SOPA

"Hacktivist" Groups Like "Anonymous" Are Not the Biggest Threat to Cybersecurity, Says UB Information Assurance Expert

expert photo
EXPERT CONTACT :

Dr. Shambhu Upadhyaya

Professor of Computer Science and Engineering and Director of UB's Center of Excellence in Information Systems Assurance Research and Education

University at Buffalo School of Engineering and Applied Sciences

716-645-3183

shambhu@buffalo.edu

Shambhu Upadhyaya teaches and conducts research in the area of computer security. He is director of the Center of Excellence in Information Systems Assurance Research and Education (CEISARE), whose work has included studying cybersecurity and training students to protect the nation’s information technology systems.

With hacker collectives carrying out high-profile cyber attacks most recently claiming to have stolen a large trove of data including personal information from U.S. law enforcement agencies  Upadhyaya comments on how much of a threat these groups really pose to cybersecurity.

Q: Are hacker groups like Anonymous the biggest threats to cybersecurity today?

A: No. Groups such as Anonymous, LulzSec, AntiSec, etc. belong to a special group who indulge in ‘hacktivism’ — hacking and activism. They are largely a sympathizer of ‘freedom of information,’ and their agenda is basically to protest what they perceive as violation of freedom of information or violation of privacy. These attacks are not aimed at individuals but against organizations. Based on the recent arrests across the country and in the U.K., it appears that the group consists of juveniles who want to get some notoriety. They are not big threats because they indulge in denial of service attacks—creating nuisances such as defacing of websites, slowing down online accesses on the Internet, etc.—and occasionally stealing sensitive information such as password files, social security information, etc.

 
Q: What are some of the most important threats to cybersecurity today?

A: The biggest threat to cyber security is attacks on nation's critical infrastructure such as the electric power grid, transportation system, financial network and military assets. We have seen attacks on Pentagon's $300 billion F-35 Joint Strike Fighter project in April 2009, where the attackers stole some critical/sensitive information. Hactivism attacks of the type of Anonymous, LulzSec, AntiSec., etc. cannot be ignored, but they are of much lower risk compared to the attacks aimed at nation's critical infrastructure.
 
Q: What are some new approaches being developed to prevent cyber attacks?

A: The Cyber Security and Internet Freedom Act 2011 that is in the works at the government is the right thing in fighting cyber attacks. It focuses on training and recruiting cyber security workforce to protect the critical assets of the nation. Companies and academia are doing research on cyber security to counter cyber attacks but there is no magical solution for this problem yet. There will never be a complete solution for cyber attacks because it involves a combination of process, technology and people, the people becoming the weakest link in the security chain.  As an individual, one should use strong password and apply security patches to their systems constantly. One should not open unsolicited and suspicious emails and attachments. Such good practices will prevent a number of attacks and make you somewhat secure.
 
Q: What else might the public be interested to know about groups like Anonymous?

A: Anonymous showed solidarity to WikiLeaks last year when WikiLeaks founder Julian Assange was arrested. As an act of sympathy, they attacked Visa, MasterCard and online payment companies such as PayPal since these companies broke ties with WikiLeaks. Anonymous group also attacked Fox News and CIA websites. (The) FBI went after Anonymous and made several arrests recently in the U.S. and U.K. Other sympathizer groups such as AntiSec attacked several law enforcement agency websites as a retaliation to the arrest of Anonymous members.
 
The latest Anonymous activity is their alleged threat to attack Facebook because they do not agree with Facebook's privacy protection measures — they perceive that Facebook is spying on users' privacy and colludes with law enforcement agencies to "unprotect" users' privacy. This kind of activism/protest is illegal and constitutes a cyber crime.

 

 

Related Topics:

anonymous, cybersecurity, hacking, Shambhu Upadhyaya

Login