Bad Legislation Ignores Basic Cyber-Security Measures In Favor of Draconian Measures
Security experts said that the Cyber Intelligence Sharing and Protection Act (CISPA) is not needed, and would do more harm than good.
But the House passed CISPA last month.
Speaking on the floor of the U.S. Senate on Monday evening, Sen. Ron Wyden said there is “understandable fear” driving legislation like CISPA, but cautioned that the “gross negligence” of network operators is no reason to create “a Cyber Industrial Complex” that profits on Americans’ private data:
CISPA is an example of what not to do.
It’s a fundamental principle of cyber-security policy that any network whose failure could result in loss of life or significant property should be physically isolated from the Net.
Unfortunately many of our critical network operators have violated this principle in order to save money or streamline operations. This sort of gross negligence ought to be the first target in any cyber-security program – not the privacy of individual Americans.
Now, Congress could target this behavior with yet another rulebook and one more bureaucracy, creating a cyber-security contractor full-employment program. I am not yet convinced that this is a problem that requires such a solution.
At the same time Congress should not allow our critical network operators to ignore best practices with impunity. It is vital that they understand that any liability for a preventable cyber attack is their responsibility – there’s not going to be a government bail-out after the fact in the cyber-security area.
As they stand, these bills are an overreaction to a legitimate and understandable fear. The American people will respond by limiting their online activities. That would be a recipe to stifle speech, innovation, job creation, and social progress.
I believe these bills will encourage the development of an industry that profits from fear and whose currency is Americans private data. These bills create a Cyber Industrial Complex that has an interest in preserving the problem to which it is the solution.
Wyden concluded that both bills represent a “false choice” between security and privacy, saying:
Our job is to write a cyber-security bill that protects Americans’ security and their fundamental right to privacy. There is no sound policy reason to sacrifice the privacy rights of law abiding American citizens in the name of cyber-security and I will fight any legislation that asks this Senate to make that choice.