CISPA attempts to improve cybersecurity for a few large companies by allowing very broad data sharing between the US government and private companies. Instead of focusing on helping improve cybersecurity for users and the open web and limiting sharing to the kind of information is necessary to achieve this purpose, CISPA ignores core principles of the open web and user privacy to attempt to achieve a solution that does not actually improve security.
Any cybersecurity legislation should:
- Be designed to deliver a direct security benefit to all users, not just a small subset of users
- CISPA and similar cybersecurity legislation focuses on attempting to create a framework to help corporate actors to share information to prevent data breaches. However, the law largely focuses on breaches that result in loss of intellectual property. Legislation needs to take into account the cybersecurity of user data and specifically be tailored to address (i) corporate breaches involving user data in ways that are actionable by users and (ii) cybersecurity threats faced by general users, not just large corporations.
- Result in an open and transparent processes and data that will benefit the general public, not just a small subset of users
- All data shared through any cybersecurity process designed to improve security by data sharing should be publicly available realtime to all, not a chosen few. [Generally, this data should be limited to data about the incident, data about mitigation, data about the potential threats.] [Perhaps a variation of this statement is appropriate]
- Account for the privacy impact of the legislation to users
- CISPA broadens the kind of user information that can be provided without a warrant without justification or mitigation. Any appropriate legislation needs to account for the privacy of the general user base. If a given security mitigation involves blocking of devices that could be identifiable to a user, some process to challenge this mitigation and protect users of machines that misidentified as threats needs to be in place.
- Result in an internationally defensible stance on cybersecurity
- Any solution should address cybersecurity threats for users that include bad actors within and outside the territorial borders of the US.
- Make use of the types of programs and threat models that companies and open source entities already use to increase their security
- Bounty programs
- Open source privacy practices
Lawmakers may benefit from a set of privacy principles when considering laws with privacy impact on users. Mozilla's privacy principles are available at: http://www.mozilla.org/en-US/privacy/#principles. [Perhaps we can help draft a set of principles we would like seen used by lawmakers that us understandable in DC wording instead of open web wording?]