Why CISPA Legislation Couldn’t Have Stopped the Sony Hack

Ever since the Internet has become the primary vehicle through which people communicate information and conduct financial transactions, the U.S. has had to walk a fine line between providing security and respecting privacy. Breaches like the Sony hack reveal how easy it is for cyber hackers to obtain information capable of bringing down an entire company.

Revived interest in the Cyber Intelligence Sharing and Protection Act (CISPA) is an excellent case in point. This legislation, which President Obama threatened to veto two years earlier, would not potentially erode people's 4th Amendment Rights to an unprecedented extent; it would fail to solve the problems it is supposed to address.

What is the CISPA?

This cybersecurity legislation has already been on the floor of Congress two times before. Representative Michael Rogers of Michigan first introduced the bill in 2011 when it passed a House vote and was rejected by the Senate. The House approved a second version of the bill in 2013, but it languished in the Senate until being revised by Dianne Feinstein under a new name, the Cybersecurity Information Sharing Act (CISA), in 2014.

The latest incarnation, introduced by Democratic Representative Dutch Ruppersberg in January of 2015 as a measure to prevent further Sony hacks from taking place, gives federal agencies broad and unspecified authority to obtain data from just about any company where personal information is stored if it deems that information a threat to cybersecurity.

The bill has garnered increasing non-partisan support, despite being opposed by a wide variety of groups, including the ACLU and various libertarian organizations.

Problems with CISPA

The main problem is that CISPA defines both the intelligence it can gain access to and what constitutes a "cyber threat" in vague and open-ended language. The lack of specificity would make it easy for the National Security Agency to widen the scope of an investigation almost indefinitely, removing the protection against unreasonable search and seizure afforded to individual Americans under the 4th Amendment.

Many opponents point out that the language "notwithstanding any other provision of the law" – especially the word notwithstanding – is problematic, as this seems to place the information sharing powers of the bill above any other law that might protect individual privacy.

A final problem with the CISPA act is that the bill provides a kind of loophole to corporations, who are encouraged to share information in "good faith" but not explicitly required to do so. When the barriers between the government and corporations come down, and there is no accountability at the corporate end, mistakes and misuse of personal data become not only more likely but also virtually untraceable.

Why CISPA Could Not Have Prevented the Sony Hacks

Hackers use a variety of sophisticated means to gain access to the mainframe systems of companies. Sometimes the breach can occur when personnel log into their work accounts from home; other times there may be an internal leak. Cybersecurity courses dive into what is needed to create a more secure infrastructure in order to safeguard data no matter where the system is accessed from. Malware named BKDR_WIPALL, which had been used in previous cyber hacks, is the suspected culprit that allowed the Sony hackers access to sensitive personal data and unreleased materials that they then leaked to the public.

The fact that speculation about how the Sony breach happened is still going on months after the fact underscores the most important reason the CISPA act would be ineffective at stopping future cyber attacks. If no one has been able to identify how the hackers got into Sony's systems, how would the NSA and other U.S. security agencies have been able to identify the hacker in time to prevent an attack?

Moreover, it is unlikely that a giant corporation like Sony would simply hand over sensitive corporate information to the NSA and other government agencies since they would not be required to do so. A far more likely use of CISPA would be to make it easier for governmental agencies to gather personal data on individuals through information sharing. One can argue whether that pursuit has merit in other circumstances. However, it would have little to no value in stopping future cyber hacks.

A Better Way to Protect Cybersecurity

There are a number of ways individuals can protect themselves from cyber attacks and reduce the likelihood of having their sensitive personal data stolen or corrupted:

  • Make sure to install regular updates on browsers and software.
  • Use a different password for each account.
  • Check to see if a website is secure before you enter sensitive information.
  • Remain vigilant against phishing scams.

The best way society as a whole can protect against cybersecurity threats is to design and implement systems to keep data safe. A company that hires an IT professional with a cybersecurity certification is a step ahead of the game as they will be able to use their skills and ingenuity to prevent attacks from these hackers. Staying current with the new cyber crime trends is the only effective way to keep information out of the hands of the wrong people.

Visit our Resource Center for more details on the information assurance industry.

Access Information Assurance Resources