CISPA 2015 posted online

Andrew kyboren at riseup.net
Tue Jan 13 06:03:12 PST 2015


On 01/13/15 06:05, Polity News wrote:
> A copy of the CISPA 2015 bill has been posted online. Article
> http://piratetimes.net/exclusive-a-sneak-peek-at-cispa-2015/
>
> Link to new CISPA bill
> http://piratetimes.net/wp-uploads/news/2015/01/RUPPER_001_xml-1.pdf
>

Thanks for this.

IANAL, and I only quickly perused the draft bill.  However, I'm having 
trouble wrapping my head around what this bill is really *about*.  It 
seems vague, and as far as I can see has no clear purpose.  It smells of 
being written to look like one thing, while providing legal cover for 
something totally different.

I have a lot of questions.  Maybe those with more experience or cynicism 
can answer.

I'll start with the definitions:
 > 9   (2) CYBER THREAT INFORMATION, CYBER
 > 10  THREAT INTELLIGENCE, CYBERSECURITY CRIMES,
 > 11  CYBERSECURITY PROVIDER, CYBERSECURITY PUR-
 > 12  POSE, AND SELF-PROTECTED ENTITY.The terms
 > 13  ‘‘cyber threat information’’, ‘‘cyber threat intel-
 > 14  ligence’’, ‘‘cybersecurity crimes’’, ‘‘cybersecurity pro-
 > 15  vider’’, ‘‘cybersecurity purpose’’, and ‘‘self-protected
 > 16  entity’’ have the meaning given those terms in sec-
 > 17  tion 1104 of the National Security Act of 1947, as
 > 18  added by section 3(a) of this Act.

CYBER THREAT INFORMATION:
 > 13  ‘‘(A) IN GENERAL. The term ‘cyber
 > 14  threat information’ means information directly
 > 15  pertaining to
 > 16  ‘‘(i) a vulnerability of a system or net-
 > 17  work of a government or private entity or
 > 18  utility;
 > 19  ‘‘(ii) a threat to the integrity, con-
 > 20  fidentiality, or availability of a system or
 > 21  network of a government or private entity
 > 22  or utility or any information stored on,
 > 23  processed on, or transiting such a system
 > 24  or network;
 > 1   ‘‘(iii) efforts to deny access to or de-
 > 2   grade, disrupt, or destroy a system or net-
 > 3   work of a government or private entity or
 > 4   utility; or
 > 5   ‘‘(iv) efforts to gain unauthorized ac-
 > 6   cess to a system or network of a govern-
 > 7   ment or private entity or utility, including
 > 8   to gain such unauthorized access for the
 > 9   purpose of exfiltrating information stored
 > 10  on, processed on, or transiting a system or
 > 11  network of a government or private entity
 > 12  or utility.
 > 13  ‘‘(B) EXCLUSION. Such term does not in
 > 14  clude information pertaining to efforts to gain
 > 15  unauthorized access to a system or network of
 > 16  a government or private entity or utility that
 > 17  solely involve violations of consumer terms of
 > 18  service or consumer licensing agreements and
 > 19  do not otherwise constitute unauthorized access.

This appears identical (as far as I can see) to the language used for 
"cybersecurity intelligence", which is the same thing but origination 
from the "intelligence community" (so, NSA).

So, information "directly pertaining to" a vulnerability, a threat to a 
network, DoS attacks, efforts to gain "unauthorized access" (but not to 
be construed as including ToS violations).

What kind of information is "directly pertaining to" these?  Why does 
the bill provide for "anonymization and minimization" of such data?  And 
most of all, what prevented the sharing of such information before? The 
third party doctrine means any entity could share nearly any information 
at hand with the Feds and they could still use it in court.  But this 
talk of excluding ToS violations and "minimizing" this information 
smacks a lot like a concern about criminal matters.

Further, this bill does not appear to give or modify any FedGov 
authority to use its cybersecurity systems on private networks *for the 
protection of those networks*:
 > 14  ‘‘(4) LIMITATION ON FEDERAL GOVERNMENT
 > 15  USE OF CYBERSECURITY SYSTEMS. Nothing in this
 > 16  section shall be construed to provide additional au-
 > 17  thority to, or modify an existing authority of, any
 > 18  entity to use a cybersecurity system owned or con-
 > 19  trolled by the Federal Government on a private-sec-
 > 20  tor system or network to protect such private-sector
 > 21  system or network.

Did I miss something about giving authority to place systems on private 
networks for the protection of FedGov networks?





Also interesting to note that it defines "cybersecurity crime" as 
anything that violates CFAA *or* state law--IMO a very bad idea, as 
legislators in states like Mississippi have even less experience in 
computer security than Federal legislators, and fewer resources to make 
informed decisions--if they even intend to.
CYBERSECURITY CRIME:
 > 4   ‘‘(6) CYBERSECURITY CRIME. The term
 > 5   ‘cybersecurity crime’ means
 > 6   ‘‘(A) a crime under a Federal or State law
 > 7   that involves
 > 8   ‘‘(i) efforts to deny access to or de-
 > 9   grade, disrupt, or destroy a system or net-
 > 10  work;
 > 11  ‘‘(ii) efforts to gain unauthorized ac-
 > 12  cess to a system or network; or
 > 13  ‘‘(iii) efforts to exfiltrate information
 > 14  from a system or network without author-
 > 15  ization; or
 > 16  ‘‘(B) the violation of a provision of Federal
 > 17  law relating to computer crimes, including a
 > 18  violation of any provision of title 18, United
 > 19  States Code, created or amended by the Com-
 > 20  puter Fraud and Abuse Act of 1986 (Public
 > 21  Law 99474).



And of course, our corporate overlords are the only ones this applies 
to; individuals cannot avail themselves of the new information sharing 
bonanza.  What's the reason (both claimed and ulterior) for excluding 
individuals?
 > 15  ‘‘(11) PROTECTED ENTITY. The term ‘pro
 > 16  tected entity’ means an entity, other than an indi-
 > 17  vidual, that contracts with a cybersecurity provider
 > 18  for goods or services to be used for cybersecurity
 > 19  purposes.
 > 20  ‘‘(12) SELF-PROTECTED ENTITY. The term
 > 21  ‘self-protected entity’ means an entity, other than an
 > 22  individual, that provides goods or services for
 > 23  cybersecurity purposes to itself.



Maybe I missed something, but the very last page is concerning:
 > 5   Nothing in this Act or the amendments made by this
 > 6   Act shall be construed to provide authority to a depart-
 > 7   ment or agency of the Federal Government to require a
 > 8   cybersecurity provider that has contracted with the Fed-
 > 9   eral Government to provide information services to provide
 > 10  information about cybersecurity incidents that do not pose
 > 11  a threat to the Federal Government’s information.

So: there's no obligation to provide information about incidents that do 
not pose a threat to the FedGov.  Is there a section which *does* 
obligate these corporations to share information about incidents which 
*do* pose a threat to FedGov?!?



Now, about the use of the data....
 > 12  ‘‘(7) LIMITATION ON SURVEILLANCE. Nothing
 > 13  in this section shall be construed to authorize the
 > 14  Department of Defense or the National Security
 > 15  Agency or any other element of the intelligence com-
 > 16  munity to target a United States person for surveil-
 > 17  lance.

This paragraph, as we all know, is completely meaningless, as the 
surveillance machine is untargeted.  If you target everyone rather than 
someone in particular, this "restriction" is totally useless.

Very interesting language here:
 > 19  ‘‘(2) AFFIRMATIVE RESTRICTION.
 > 20  The Federal Government may not affirmatively
 > 21  search cyber threat information shared with the
 > 22  Federal Government under subsection (b) for a pur-
 > 23  pose other than a purpose referred to in paragraph
 > 24  (1).

What is an "affirmative search", and how is it different from "search"? 
  Is this another weasel-term to prohibit "human" searches while 
allowing automated searches?

In any case, the FedGov is allowed to use the information for:
 > 18  ‘‘(c) FEDERAL GOVERNMENT USE OF INFORMA-
 > 19  TION .
 > 20  ‘‘(1) LIMITATION.The Federal Government
 > 21  may use cyber threat information shared with the
 > 22  Federal Government in accordance with subsection
 > 23  (b)
 > 24  ‘‘(A) for cybersecurity purposes;
 > 1   ‘‘(B) for the investigation and prosecution
 > 2   of cybersecurity crimes;
 > 3   ‘‘(C) for the protection of individuals from
 > 4   the danger of death or serious bodily harm and
 > 5   the investigation and prosecution of crimes in-
 > 6   volving such danger of death or serious bodily
 > 7   harm; or
 > 8   ‘‘(D) for the protection of minors from
 > 9   child pornography, any risk of sexual exploi-
 > 10  tation, and serious threats to the physical safe-
 > 11  ty of minors, including kidnapping and traf-
 > 12  ficking and the investigation and prosecution of
 > 13  crimes involving child pornography, any risk of
 > 14  sexual exploitation, and serious threats to the
 > 15  physical safety of minors, including kidnapping
 > 16  and trafficking, and any crime referred to in
 > 17  section 2258A(a)(2) of title 18, United States
 > 18  Code.

So, protecting minors from "any risk of sexual exploitation" and 
generally "thinking of the children", preventing murder and kidnapping, 
for protection against any of the four "cyber threats" defined in the 
first quote above, and... drumroll please... for prosecuting hackers.

I'm guessing (B) is the real key here.

----------


It's hard to piece this all together, and I really want to hear others' 
impressions.  My impression is that:
1) DNI collected by NSA can be very useful in investigations, but 
prosecutors cannot use the evidence without disclosing sources and methods.
1a) The old solution to this problem was "parallel construction".
1b) Parallel construction is now under scrutiny, and they can't use it 
as easily as before.
2) But what if that data wasn't collected in an intelligence 
operation--what if organizations gave us this data directly?
3) Then FBI/NSA can still use the same DNI they've always been 
collecting, and acquired in the same way it always has benn, but they 
can now just claim that the organization concerned gave it to them, so 
a) it can be used in court without 4th amd. challenges, and b) there's 
no risk of disclosing sources and methods.

What does everyone else think?



More information about the cypherpunks mailing list