CISPA Bill a Threat to the Cloud?
The Cyber Intelligence Sharing and Protection Act (CISPA), recently passed in the House of Representatives, has drawn much criticism from civil libertarians. They are concerned about its impact on personal privacy. But privacy and confidentiality are also concerns for midsize firms and their IT departments--which means that one unintended side effect of the bill, if enacted into law, could be a severe blow to cloud computing. Individuals are not the only cloud users who now have to worry that it could allow cloud vendors to divulge their confidential data.
The controversy over CISPA, as previously noted here at Midsize Insider, centers on its extremely broad language. Firm are permitted (though not required) to share confidential data with "other entities" in the course of security investigations, if the data is believed to be related to security concerns in any way. This broad language brushes aside any other legal restrictions on information sharing and sets no standards for security actions. And as Ted Samson observes at InfoWorld, if this language is enacted into law it could allow any cloud provider to share its data with a host of other "entities." That eliminates all protections for cloud users, personal or enterprise, beyond what the cloud vendor chooses on its own to provide.
This Is Security?
Yes, your cloud provider could promise--cross its heart and hope to die--that it would never divulge its data in the name of "security." But such a promise has nothing to back it up. For midsize firms and their legal and IT departments, the message is simple: Don't trust the cloud with anything.
CISPA is still a long way from being law. The Senate has passed a bill with better language, and the White House has cast doubts on the House version (without, however, threatening a veto).
The bill are that in its current form is not only bad for privacy and confidentiality; it is also miserably bad security policy. Set aside for the moment all concerns about deliberate abuse and think about plain old human error.
The more data gets shared and passed around, the greater the chance that someone will slip up and pass it out onto the open Internet. Much of security design and policy is devoted precisely to limiting such mistakes. But as IT managers at midsize firms know all too well, mistakes still happen. Placing no limits on divulging information in the name of security is like giving everyone a passkey, so that they can lock doors behind them. That is not how it will work in practice.
And enacting panic into law in the name of security is not a good policy for the cloud, midsize firms, or anyone.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.