Congress is moving to bolster our country’s defenses against cyber attacks, but must also protect the data-privacy rights of law-abiding Americans.
By Alan Schoenbaum, General Counsel, Rackspace
Only a few months after Congressional leaders withdrew the deeply flawed anti-piracy bills known as SOPA and PIPA, regulation of the Internet is back on the Washington agenda. The acronym of the hour is CISPA, the Cyber Intelligence Sharing and Protection Act, which the U.S. House advanced last week on a vote of 248 to 168.
Legal and technical experts at Rackspace have been studying CISPA, and our company’s customers and employees have been asking about it. I’m writing today to outline our position on the legislation.
CISPA has been drafted with the best of intentions, but it needs more work in order to more effectively balance security goals and privacy concerns.
CISPA aims to enhance information sharing among the intelligence community, government agencies and private entities that use cybersecurity systems by shielding companies that disclose cyber threat information from liability.
For example, if a service provider suspects that it has been attacked, it can share information, such as network activity logs, with the government, intelligence agencies and others, and do so with immunity and without redacting non-relevant information, which could include customers’ traffic and activity and other data not directly related to the suspected attack.
With appropriate safeguards, increased cyber security collaboration can help prevent denial-of-service attacks, thefts of sensitive information and attacks on the nation’s infrastructure.
As a leading Internet service provider, Rackspace fights cyber threats every day. It’s a difficult, expensive and vital undertaking, and we welcome effective and practical assistance in this effort. But the approach taken by CISPA has raised concerns at Rackspace and among others in our industry. We are discussing those concerns with key lawmakers in both parties and both houses of Congress, and are optimistic that CISPA will be improved as the legislative process grinds forward.
At Rackspace, we encourage legislation crafted to make our nation’s digital networks more secure, so long as it respects the digital privacy of individuals and businesses — including our customers — who are not suspected of any crime.
Further, cyber-security legislation should reflect the new realities of how IT works in the cloud. Any new law should be tailored to fit the way that individuals and companies today use shared computing resources, which are available on demand, across the globe.
On both of these grounds, CISPA, as passed by the House, falls short of what is needed in a balanced and effective cyber security bill. Let me give a few specifics, and some suggestions on ways the legislation can be improved.
First, we do not think the bill’s information-sharing language adequately protects personally identifiable information. If companies and government agencies are protected from liability as the result of sharing information in the name of protecting against cyber attacks, the law should include provisions to block or redact elements of that data that belong to or identify specific individuals or companies that are not suspected of criminal activity.
Second, CISPA does not recognize the impact that data-privacy laws of other countries, particularly in Europe, have on U.S. technology companies — and on U.S. competitiveness. Some European officials, along with European companies that compete against U.S. Internet firms, are actively spreading misinformation about U.S. law. We continually hear the canard that it is “unsafe” to host data with U.S.-based cloud-computing companies in their European data centers because the U.S. government can access customers’ data easily, without due process. That’s simply not true.
In fact, there is no U.S. law that overrides the data-privacy laws of European nations. The Patriot Act does not allow U.S. law enforcement agencies to access data in overseas data centers. Yet CISPA has re-ignited this issue, to the detriment of U.S. companies and the competitiveness of one of America’s fastest growing industries. Congress should provide specific assurances that the data privacy laws of our trading partners will be respected, and this issue will then be put to rest.
Third, any cyber security bill that is designed to encourage and protect information sharing must recognize the complexities created by shared computing infrastructure environments which are at the heart of cloud computing. Selective information sharing, in the name of stopping cyber threats, can have the unintended consequence of magnifying a security risk. A user of public cloud computing services should not be permitted to disclose information about any vulnerability in that cloud without first disclosing the vulnerability to the cloud provider. This approach would give the provider an opportunity to resolve the vulnerability as quickly and simply as is possible — or to limit or block disclosure in cases where the disclosure would pose a threat to other users served by that provider.
These are complicated issues. It is very hard to draft a law that anticipates future technologies. But we can start by making sure that any new law at least takes account of today’s technologies. I believe we can find common ground in balancing security goals with the protection of data privacy, and with the promotion of U.S. competitiveness in the global Internet-service industry.
I and several of my colleagues will travel to Washington this week to meet with key lawmakers and other officials regarding CISPA. We will keep you posted on what we learn, and on our progress. Please let us know your thoughts.