I wrote a blog post last week about the current Privacy Theater in the US, where the government is simultaneously pushing stricter privacy regulations and huge backdoors that would completely undermine privacy. The backdoors come in the form of the Cyber Intelligence Sharing and Protection Act or CISPA. The folks at Lumin Consulting have put together a good infographic that illustrates how CISPA undermines privacy:
I am actually sympathetic to the basic idea behind CISPA, which is to make it easier to share incident data as a way to identify and protect against attacks. But the way that CISPA goes about it is wrong on two important levels. First, it would stuff the incident information into the existing agency and vendor world instead of making it widely available on the Internet. Wide availability would let researchers, hobbyists and new vendors all work on improving security. In other words it would enable the Internet to help protect the Internet.
The second big mistake in CISPA is that it uses broad language when what we need is a tight and well specified sharing protocol. I am not suggesting that such a protocol can be devised to cover all types of attacks and attack related information but rather that by starting with something tight we can go from no public data to a lot of public data. For instance, reporting IPs involved in DDOS attacks would be a great and very precise starting point. The way the government can help here is by helping to define the reporting standard and starting small instead of shooting for some all encompassing solution.