CISPA 2015 posted online
Andrew
kyboren at riseup.net
Tue Jan 13 06:03:12 PST 2015
On 01/13/15 06:05, Polity News wrote:
> A copy of the CISPA 2015 bill has been posted online. Article
> http://piratetimes.net/exclusive-a-sneak-peek-at-cispa-2015/
>
> Link to new CISPA bill
> http://piratetimes.net/wp-uploads/news/2015/01/RUPPER_001_xml-1.pdf
>
Thanks for this.
IANAL, and I only quickly perused the draft bill. However, I'm having
trouble wrapping my head around what this bill is really *about*. It
seems vague, and as far as I can see has no clear purpose. It smells of
being written to look like one thing, while providing legal cover for
something totally different.
I have a lot of questions. Maybe those with more experience or cynicism
can answer.
I'll start with the definitions:
> 9 (2) CYBER THREAT INFORMATION, CYBER
> 10 THREAT INTELLIGENCE, CYBERSECURITY CRIMES,
> 11 CYBERSECURITY PROVIDER, CYBERSECURITY PUR-
> 12 POSE, AND SELF-PROTECTED ENTITY.The terms
> 13 ‘‘cyber threat information’’, ‘‘cyber threat intel-
> 14 ligence’’, ‘‘cybersecurity crimes’’, ‘‘cybersecurity pro-
> 15 vider’’, ‘‘cybersecurity purpose’’, and ‘‘self-protected
> 16 entity’’ have the meaning given those terms in sec-
> 17 tion 1104 of the National Security Act of 1947, as
> 18 added by section 3(a) of this Act.
CYBER THREAT INFORMATION:
> 13 ‘‘(A) IN GENERAL. The term ‘cyber
> 14 threat information’ means information directly
> 15 pertaining to
> 16 ‘‘(i) a vulnerability of a system or net-
> 17 work of a government or private entity or
> 18 utility;
> 19 ‘‘(ii) a threat to the integrity, con-
> 20 fidentiality, or availability of a system or
> 21 network of a government or private entity
> 22 or utility or any information stored on,
> 23 processed on, or transiting such a system
> 24 or network;
> 1 ‘‘(iii) efforts to deny access to or de-
> 2 grade, disrupt, or destroy a system or net-
> 3 work of a government or private entity or
> 4 utility; or
> 5 ‘‘(iv) efforts to gain unauthorized ac-
> 6 cess to a system or network of a govern-
> 7 ment or private entity or utility, including
> 8 to gain such unauthorized access for the
> 9 purpose of exfiltrating information stored
> 10 on, processed on, or transiting a system or
> 11 network of a government or private entity
> 12 or utility.
> 13 ‘‘(B) EXCLUSION. Such term does not in
> 14 clude information pertaining to efforts to gain
> 15 unauthorized access to a system or network of
> 16 a government or private entity or utility that
> 17 solely involve violations of consumer terms of
> 18 service or consumer licensing agreements and
> 19 do not otherwise constitute unauthorized access.
This appears identical (as far as I can see) to the language used for
"cybersecurity intelligence", which is the same thing but origination
from the "intelligence community" (so, NSA).
So, information "directly pertaining to" a vulnerability, a threat to a
network, DoS attacks, efforts to gain "unauthorized access" (but not to
be construed as including ToS violations).
What kind of information is "directly pertaining to" these? Why does
the bill provide for "anonymization and minimization" of such data? And
most of all, what prevented the sharing of such information before? The
third party doctrine means any entity could share nearly any information
at hand with the Feds and they could still use it in court. But this
talk of excluding ToS violations and "minimizing" this information
smacks a lot like a concern about criminal matters.
Further, this bill does not appear to give or modify any FedGov
authority to use its cybersecurity systems on private networks *for the
protection of those networks*:
> 14 ‘‘(4) LIMITATION ON FEDERAL GOVERNMENT
> 15 USE OF CYBERSECURITY SYSTEMS. Nothing in this
> 16 section shall be construed to provide additional au-
> 17 thority to, or modify an existing authority of, any
> 18 entity to use a cybersecurity system owned or con-
> 19 trolled by the Federal Government on a private-sec-
> 20 tor system or network to protect such private-sector
> 21 system or network.
Did I miss something about giving authority to place systems on private
networks for the protection of FedGov networks?
Also interesting to note that it defines "cybersecurity crime" as
anything that violates CFAA *or* state law--IMO a very bad idea, as
legislators in states like Mississippi have even less experience in
computer security than Federal legislators, and fewer resources to make
informed decisions--if they even intend to.
CYBERSECURITY CRIME:
> 4 ‘‘(6) CYBERSECURITY CRIME. The term
> 5 ‘cybersecurity crime’ means
> 6 ‘‘(A) a crime under a Federal or State law
> 7 that involves
> 8 ‘‘(i) efforts to deny access to or de-
> 9 grade, disrupt, or destroy a system or net-
> 10 work;
> 11 ‘‘(ii) efforts to gain unauthorized ac-
> 12 cess to a system or network; or
> 13 ‘‘(iii) efforts to exfiltrate information
> 14 from a system or network without author-
> 15 ization; or
> 16 ‘‘(B) the violation of a provision of Federal
> 17 law relating to computer crimes, including a
> 18 violation of any provision of title 18, United
> 19 States Code, created or amended by the Com-
> 20 puter Fraud and Abuse Act of 1986 (Public
> 21 Law 99474).
And of course, our corporate overlords are the only ones this applies
to; individuals cannot avail themselves of the new information sharing
bonanza. What's the reason (both claimed and ulterior) for excluding
individuals?
> 15 ‘‘(11) PROTECTED ENTITY. The term ‘pro
> 16 tected entity’ means an entity, other than an indi-
> 17 vidual, that contracts with a cybersecurity provider
> 18 for goods or services to be used for cybersecurity
> 19 purposes.
> 20 ‘‘(12) SELF-PROTECTED ENTITY. The term
> 21 ‘self-protected entity’ means an entity, other than an
> 22 individual, that provides goods or services for
> 23 cybersecurity purposes to itself.
Maybe I missed something, but the very last page is concerning:
> 5 Nothing in this Act or the amendments made by this
> 6 Act shall be construed to provide authority to a depart-
> 7 ment or agency of the Federal Government to require a
> 8 cybersecurity provider that has contracted with the Fed-
> 9 eral Government to provide information services to provide
> 10 information about cybersecurity incidents that do not pose
> 11 a threat to the Federal Government’s information.
So: there's no obligation to provide information about incidents that do
not pose a threat to the FedGov. Is there a section which *does*
obligate these corporations to share information about incidents which
*do* pose a threat to FedGov?!?
Now, about the use of the data....
> 12 ‘‘(7) LIMITATION ON SURVEILLANCE. Nothing
> 13 in this section shall be construed to authorize the
> 14 Department of Defense or the National Security
> 15 Agency or any other element of the intelligence com-
> 16 munity to target a United States person for surveil-
> 17 lance.
This paragraph, as we all know, is completely meaningless, as the
surveillance machine is untargeted. If you target everyone rather than
someone in particular, this "restriction" is totally useless.
Very interesting language here:
> 19 ‘‘(2) AFFIRMATIVE RESTRICTION.
> 20 The Federal Government may not affirmatively
> 21 search cyber threat information shared with the
> 22 Federal Government under subsection (b) for a pur-
> 23 pose other than a purpose referred to in paragraph
> 24 (1).
What is an "affirmative search", and how is it different from "search"?
Is this another weasel-term to prohibit "human" searches while
allowing automated searches?
In any case, the FedGov is allowed to use the information for:
> 18 ‘‘(c) FEDERAL GOVERNMENT USE OF INFORMA-
> 19 TION .
> 20 ‘‘(1) LIMITATION.The Federal Government
> 21 may use cyber threat information shared with the
> 22 Federal Government in accordance with subsection
> 23 (b)
> 24 ‘‘(A) for cybersecurity purposes;
> 1 ‘‘(B) for the investigation and prosecution
> 2 of cybersecurity crimes;
> 3 ‘‘(C) for the protection of individuals from
> 4 the danger of death or serious bodily harm and
> 5 the investigation and prosecution of crimes in-
> 6 volving such danger of death or serious bodily
> 7 harm; or
> 8 ‘‘(D) for the protection of minors from
> 9 child pornography, any risk of sexual exploi-
> 10 tation, and serious threats to the physical safe-
> 11 ty of minors, including kidnapping and traf-
> 12 ficking and the investigation and prosecution of
> 13 crimes involving child pornography, any risk of
> 14 sexual exploitation, and serious threats to the
> 15 physical safety of minors, including kidnapping
> 16 and trafficking, and any crime referred to in
> 17 section 2258A(a)(2) of title 18, United States
> 18 Code.
So, protecting minors from "any risk of sexual exploitation" and
generally "thinking of the children", preventing murder and kidnapping,
for protection against any of the four "cyber threats" defined in the
first quote above, and... drumroll please... for prosecuting hackers.
I'm guessing (B) is the real key here.
----------
It's hard to piece this all together, and I really want to hear others'
impressions. My impression is that:
1) DNI collected by NSA can be very useful in investigations, but
prosecutors cannot use the evidence without disclosing sources and methods.
1a) The old solution to this problem was "parallel construction".
1b) Parallel construction is now under scrutiny, and they can't use it
as easily as before.
2) But what if that data wasn't collected in an intelligence
operation--what if organizations gave us this data directly?
3) Then FBI/NSA can still use the same DNI they've always been
collecting, and acquired in the same way it always has benn, but they
can now just claim that the organization concerned gave it to them, so
a) it can be used in court without 4th amd. challenges, and b) there's
no risk of disclosing sources and methods.
What does everyone else think?
More information about the cypherpunks
mailing list