Have you heard about CISPA? It’s the acronym for the Cyber Intelligence Sharing and Protection Act.
CISPA is being likened to the now-moribund SOPA and PIPA bills smothered by Congress after widespread public opposition.
However, only opponents see similarities. Advocates see it as completely different.
While SOPA and PIPA were about shutting down US web sites serving as the “tubes” through which suspected pirated intellectual property flowed, CISPA is about private companies sharing data in both directions with US government agencies, including Pentagon spy agencies like the National Security Agency (NSA).
Opponents of CISPA, however, see similarities because they say that once again the government is trying to give itself too many easily abused powers to violate the constitutional rights of Americans. In this case, potentially violating the Fourth Amendment (unreasonable searches and seizures) rather than the First (abridging the freedom of speech).
Major opponents include the Electronic Frontier Foundation, which has a detailed FAQ about the bill on their web site.
CISPA came out of committee in December, and is being changed to address some of the concerns of opponents before it’s formally debated or voted upon sometime in the future.
You can read a hundred articles about CISPA and not get a straight answer about the threat it attempts to address, so I’ll do that here. Chinese hackers are hacking American companies blind.
Private companies, hackers for hire and probably some elements of the Chinese government have perfected the art of hacking for the purpose of industrial espionage -- stealing the trade secrets of foreign companies and then selling or giving them to Chinese companies.
Other countries, including Russia, also have strong industrial espionage programs that are probably state-sponsored. But nobody does it like China.
Congressman Michael Rogers, a sponsor of CISPA, said this week that he’s “never seen something grow more exponentially serious than China's capabilities in cyber espionage... It is so prolific—it's breathtaking. In the last year, China has stolen so much intellectual property that it would be considered 50 times the print collection of the United States Library of Congress.”
The problem of Chinese industrial espionage may be considered the most likely issue that could draw China and the United States into an actual, full-blown war.
The Guardian newspaper this week revealed that the Pentagon and the Chinese military establishment have been cooperating on a series of “war games” as a way to prevent future war between the two countries.
The “war games” basic scenario is one in which each side launches a Stuxnet-type virus attack against the other, and explores how each would respond to such an attack.
According to the article, “The need for the meetings has been underlined in recent months as the US and the UK have tried to increase pressure on China, which they regard as chiefly responsible for the theft of billions of dollars of plans and intellectual property from defense manufacturers, government departments, and private companies at the heart of America's national infrastructure.”
When a malicious hacker attacks a network, he gets access to some part of a system, looking for targets, vulnerabilities and additional information that will enable him to gain access to other parts of the system.
In the case of industrial espionage, the home run is to steal intellectual property in the form of source code, internal communications and all kinds of business information that might help another company outbid, negotiate and generally defeat competitors in the marketplace.
A good hacker tries to cover his tracks, erasing data from log files and removing evidence that he gained access.
To counter such an attack, it’s vital that the security team itself have access to the same network in order to search for clues that the system was compromised, and to figure out how the break-in was accomplished.
No network is an island, so it also helps to have access to the technical details from the manufacturers of the network and security equipment and software, and in some cases to be able to spy on the alleged hacker -- read his emails, that sort of thing.
Here’s the problem in a nutshell: China has access to US corporations’ networks, but the US government does not, at least not legally.
Because Chinese industrial espionage is considered a threat to national security, the US government believes it needs information about the same US networks that Chinese hackers have accessed in order to discover the means of access, figure out a solution, then share that solution with other US companies so they won’t be so easily compromised.
I don’t believe for a second that the NSA or any other spy organization would hesitate to itself break into US companies’ networks to shut down Chinese hackers. But stopping industrial espionage would be a lot quicker and easier with the general cooperation of US law and also the companies involved.
CISPA would authorize the Department of Homeland Security, the NSA and other US government organizations to share intelligence about hack attacks with private US companies, and enable the companies to share information about break-ins with the government without fear of being sued by users.