On 01/13/15 06:05, Polity News wrote:
A copy of the CISPA 2015 bill has been posted online. Article http://piratetimes.net/exclusive-a-sneak-peek-at-cispa-2015/
Link to new CISPA bill http://piratetimes.net/wp-uploads/news/2015/01/RUPPER_001_xml-1.pdf
Thanks for this. IANAL, and I only quickly perused the draft bill. However, I'm having trouble wrapping my head around what this bill is really *about*. It seems vague, and as far as I can see has no clear purpose. It smells of being written to look like one thing, while providing legal cover for something totally different. I have a lot of questions. Maybe those with more experience or cynicism can answer. I'll start with the definitions:
9 (2) CYBER THREAT INFORMATION, CYBER 10 THREAT INTELLIGENCE, CYBERSECURITY CRIMES, 11 CYBERSECURITY PROVIDER, CYBERSECURITY PUR- 12 POSE, AND SELF-PROTECTED ENTITY.The terms 13 ‘‘cyber threat information’’, ‘‘cyber threat intel- 14 ligence’’, ‘‘cybersecurity crimes’’, ‘‘cybersecurity pro- 15 vider’’, ‘‘cybersecurity purpose’’, and ‘‘self-protected 16 entity’’ have the meaning given those terms in sec- 17 tion 1104 of the National Security Act of 1947, as 18 added by section 3(a) of this Act.
CYBER THREAT INFORMATION:
13 ‘‘(A) IN GENERAL. The term ‘cyber 14 threat information’ means information directly 15 pertaining to 16 ‘‘(i) a vulnerability of a system or net- 17 work of a government or private entity or 18 utility; 19 ‘‘(ii) a threat to the integrity, con- 20 fidentiality, or availability of a system or 21 network of a government or private entity 22 or utility or any information stored on, 23 processed on, or transiting such a system 24 or network; 1 ‘‘(iii) efforts to deny access to or de- 2 grade, disrupt, or destroy a system or net- 3 work of a government or private entity or 4 utility; or 5 ‘‘(iv) efforts to gain unauthorized ac- 6 cess to a system or network of a govern- 7 ment or private entity or utility, including 8 to gain such unauthorized access for the 9 purpose of exfiltrating information stored 10 on, processed on, or transiting a system or 11 network of a government or private entity 12 or utility. 13 ‘‘(B) EXCLUSION. Such term does not in 14 clude information pertaining to efforts to gain 15 unauthorized access to a system or network of 16 a government or private entity or utility that 17 solely involve violations of consumer terms of 18 service or consumer licensing agreements and 19 do not otherwise constitute unauthorized access.
This appears identical (as far as I can see) to the language used for "cybersecurity intelligence", which is the same thing but origination from the "intelligence community" (so, NSA). So, information "directly pertaining to" a vulnerability, a threat to a network, DoS attacks, efforts to gain "unauthorized access" (but not to be construed as including ToS violations). What kind of information is "directly pertaining to" these? Why does the bill provide for "anonymization and minimization" of such data? And most of all, what prevented the sharing of such information before? The third party doctrine means any entity could share nearly any information at hand with the Feds and they could still use it in court. But this talk of excluding ToS violations and "minimizing" this information smacks a lot like a concern about criminal matters. Further, this bill does not appear to give or modify any FedGov authority to use its cybersecurity systems on private networks *for the protection of those networks*:
14 ‘‘(4) LIMITATION ON FEDERAL GOVERNMENT 15 USE OF CYBERSECURITY SYSTEMS. Nothing in this 16 section shall be construed to provide additional au- 17 thority to, or modify an existing authority of, any 18 entity to use a cybersecurity system owned or con- 19 trolled by the Federal Government on a private-sec- 20 tor system or network to protect such private-sector 21 system or network.
Did I miss something about giving authority to place systems on private networks for the protection of FedGov networks? Also interesting to note that it defines "cybersecurity crime" as anything that violates CFAA *or* state law--IMO a very bad idea, as legislators in states like Mississippi have even less experience in computer security than Federal legislators, and fewer resources to make informed decisions--if they even intend to. CYBERSECURITY CRIME:
4 ‘‘(6) CYBERSECURITY CRIME. The term 5 ‘cybersecurity crime’ means 6 ‘‘(A) a crime under a Federal or State law 7 that involves 8 ‘‘(i) efforts to deny access to or de- 9 grade, disrupt, or destroy a system or net- 10 work; 11 ‘‘(ii) efforts to gain unauthorized ac- 12 cess to a system or network; or 13 ‘‘(iii) efforts to exfiltrate information 14 from a system or network without author- 15 ization; or 16 ‘‘(B) the violation of a provision of Federal 17 law relating to computer crimes, including a 18 violation of any provision of title 18, United 19 States Code, created or amended by the Com- 20 puter Fraud and Abuse Act of 1986 (Public 21 Law 99474).
And of course, our corporate overlords are the only ones this applies to; individuals cannot avail themselves of the new information sharing bonanza. What's the reason (both claimed and ulterior) for excluding individuals?
15 ‘‘(11) PROTECTED ENTITY. The term ‘pro 16 tected entity’ means an entity, other than an indi- 17 vidual, that contracts with a cybersecurity provider 18 for goods or services to be used for cybersecurity 19 purposes. 20 ‘‘(12) SELF-PROTECTED ENTITY. The term 21 ‘self-protected entity’ means an entity, other than an 22 individual, that provides goods or services for 23 cybersecurity purposes to itself.
Maybe I missed something, but the very last page is concerning:
5 Nothing in this Act or the amendments made by this 6 Act shall be construed to provide authority to a depart- 7 ment or agency of the Federal Government to require a 8 cybersecurity provider that has contracted with the Fed- 9 eral Government to provide information services to provide 10 information about cybersecurity incidents that do not pose 11 a threat to the Federal Government’s information.
So: there's no obligation to provide information about incidents that do not pose a threat to the FedGov. Is there a section which *does* obligate these corporations to share information about incidents which *do* pose a threat to FedGov?!? Now, about the use of the data....
12 ‘‘(7) LIMITATION ON SURVEILLANCE. Nothing 13 in this section shall be construed to authorize the 14 Department of Defense or the National Security 15 Agency or any other element of the intelligence com- 16 munity to target a United States person for surveil- 17 lance.
This paragraph, as we all know, is completely meaningless, as the surveillance machine is untargeted. If you target everyone rather than someone in particular, this "restriction" is totally useless. Very interesting language here:
19 ‘‘(2) AFFIRMATIVE RESTRICTION. 20 The Federal Government may not affirmatively 21 search cyber threat information shared with the 22 Federal Government under subsection (b) for a pur- 23 pose other than a purpose referred to in paragraph 24 (1).
What is an "affirmative search", and how is it different from "search"? Is this another weasel-term to prohibit "human" searches while allowing automated searches? In any case, the FedGov is allowed to use the information for:
18 ‘‘(c) FEDERAL GOVERNMENT USE OF INFORMA- 19 TION . 20 ‘‘(1) LIMITATION.The Federal Government 21 may use cyber threat information shared with the 22 Federal Government in accordance with subsection 23 (b) 24 ‘‘(A) for cybersecurity purposes; 1 ‘‘(B) for the investigation and prosecution 2 of cybersecurity crimes; 3 ‘‘(C) for the protection of individuals from 4 the danger of death or serious bodily harm and 5 the investigation and prosecution of crimes in- 6 volving such danger of death or serious bodily 7 harm; or 8 ‘‘(D) for the protection of minors from 9 child pornography, any risk of sexual exploi- 10 tation, and serious threats to the physical safe- 11 ty of minors, including kidnapping and traf- 12 ficking and the investigation and prosecution of 13 crimes involving child pornography, any risk of 14 sexual exploitation, and serious threats to the 15 physical safety of minors, including kidnapping 16 and trafficking, and any crime referred to in 17 section 2258A(a)(2) of title 18, United States 18 Code.
So, protecting minors from "any risk of sexual exploitation" and generally "thinking of the children", preventing murder and kidnapping, for protection against any of the four "cyber threats" defined in the first quote above, and... drumroll please... for prosecuting hackers. I'm guessing (B) is the real key here. ---------- It's hard to piece this all together, and I really want to hear others' impressions. My impression is that: 1) DNI collected by NSA can be very useful in investigations, but prosecutors cannot use the evidence without disclosing sources and methods. 1a) The old solution to this problem was "parallel construction". 1b) Parallel construction is now under scrutiny, and they can't use it as easily as before. 2) But what if that data wasn't collected in an intelligence operation--what if organizations gave us this data directly? 3) Then FBI/NSA can still use the same DNI they've always been collecting, and acquired in the same way it always has benn, but they can now just claim that the organization concerned gave it to them, so a) it can be used in court without 4th amd. challenges, and b) there's no risk of disclosing sources and methods. What does everyone else think?