Continuous Monitoring, Big Data, and Concerns with CISPA
Why is CDT opposed to a House bill intended to promote sharing of information about cyberthreats? And why do we prefer a Senate proposal on information sharing?
The reasons for our opposition to the Cyber Intelligence Sharing and Protection Act (CISPA) are well-illustrated by this opening sentence from an article yesterday in Government Computer News:
Continuous monitoring is the order of the day for federal IT systems, and automated tools are generating more data about the status and behavior of agency networks. The next challenge, analysts, vendors and government officials say, is making use of all that data.
Delete reference to "federal" IT systems and "agency" networks and you understand the scope of our concern: Continuous monitoring is the order of the day for all information systems, including major ISPs and other service providers. Continuous monitoring is generating huge amounts of data about behavior of all networks and about the behavior of users of all networks.
CISPA would allow automated monitoring of data on private networks to flow directly to the National Security Agency, a super-secret military agency, and it would allow the use of that information for any national security purpose, including purposes unrelated to cybersecurity. The Senate bill, by contrast, would feed private sector data to the civilian Department of Homeland Security, which is more subject to public accountability, and it would not allow use of cyber-monitoring information for unrelated national security purposes.
The ongoing developments in big data analysis developments in which the NSA is surely a leader will make it increasingly possible to analyze network data to generate a wide range of inferences and other knowledge. Having that power in the hands of private network operators, and in the hands of the government monitoring its own networks, is risky enough. But feeding the huge flows of data generated by continuous monitoring into a military agency, where it could be used not only for cybersecurity but for any national security purpose, could result in a major shift in power that is incompatible with a democratic system.
That is just one reason why we oppose CISPA.