On CISA
I have avoided writing about the Cybersecurity Information Sharing Act (CISA), largely because the details kept changing. (For those not following closely, similar bills were passed by both the House and the Senate. They’re now being combined into a single bill which will be voted on again, and then almost certainly signed into law by President Obama.)
Now that it’s pretty solid, I find that I don’t have to write anything, because Danny Weitzner did such a good job, writing about how the bill encourages companies to share personal information with the government, allows them to take some offensive measures against attackers (or innocents, if they get it wrong), waives privacy protections, and gives companies immunity from prosecution.
Information sharing is essential to good cybersecurity, and we need more of it. But CISA is a really bad law.
This is good, too.
Hugo Leisink • November 17, 2015 12:31 PM
Increased security is not gained by giving up privacy, but it is gained by improving security. This might sound silly, but there is really a lot to improve. The average IT professional knows little about security. Often, I meet developers who don’t know how SQL injection works, administrators who don’t know much about server hardening, project managers who never heard about penetration testing. I truly believe that about half of all IT personal knows too little about security to do his/her job right. Surveillance and catching criminals is not the solution to cyber crime. Improving security is. It is time for politicians to realize that.