[tptacek]

This is a blog post that makes two very broad claims:

1. That Chrysler can exploit CISA to avoid liability for vulnerabilities in their cars simply by sharing the flaws with the USG as an "indicator".

2. That the USG can use CISA to collude with private companies to avoid warrant requirements and spy on their customers.

Both of these points are, I think, false. I've linked upthread to the text of the bill and provided a summary. In particular, I don't think the "Chrysler reading" of the bill finds any support at all in the text; Chrysler is immunized from suits stemming from their own sharing, and even in the sharing, they are explicitly on the hook for negligence and misconduct.

If it's helpful, here's the entire limitation of liability in CISA. Notice: companies are exempt from liability for monitoring, sharing, and receipt of indicators. They aren't exempt from liability for having vulnerabilities in the first place!

    6.Protection from liability
     
    (a) Monitoring of information systems 
     
    No cause of action shall lie or be maintained in any court against
    any private entity, and such action shall be promptly dismissed,
    for the monitoring of information systems and information under
    section 4(a) that is conducted in accordance with this Act.
     
    (b) Sharing or receipt of cyber threat
    indicators 
     
    No cause of action shall lie or be maintained in any court against
    any entity, and such action shall be promptly dismissed, for the
    sharing or receipt of cyber threat indicators or defensive
    measures under section 4(c) if—
     
    (1) such sharing or receipt is conducted in accordance with this
    Act; and
     
    (2) in a case in which a cyber threat indicator or defensive
    measure is shared with the Federal Government, the cyber threat
    indicator or defensive measure is shared in a manner that is
    consistent with section 5(c)(1)(B) and the sharing or receipt, as
    the case may be, occurs after the earlier of—
     
    (A) the date on which the interim policies and procedures are
    submitted to Congress under section 5(a)(1); or
     
    (B) the date that is 60 days after the date of the enactment of
    this Act.
     
    (c) Construction
     
    Nothing in this section shall be
    construed—
     
    (1)to require dismissal of a cause of action against an entity
    that has engaged in gross negligence or willful misconduct in the
    course of conducting activities authorized by this Act; or
     
    (2)to undermine or limit the availability of otherwise applicable
    common law or statutory defenses.

[declan]

I'm not sure why you were downvoted for a reasonable post citing original sources (I upvoted you to try to correct that).

I expect I will disagree with you about the desirability of CISA, just as we disagreed years ago about CISPA, but enjoy your posts on the topic nevertheless. They make thoughtful and reasonable points. Even if you end up on the wrong side. :)

[tptacek]

Just to be clear: CISA is bad. I oppose it.

[oceanstone]

How many comments have you made expressing your opposition, versus painting groups fighting CISA in a negative light?

[tptacek]

I'm not "painting" anyone. People say things that are misleading, wrong, or outright dishonest. I point them out. I don't feel any need to justify that to you.

[oceanstone]

Well, wouldn't it be more productive to write your own blog post(s) on why CISA should be opposed?

[tptacek]

It would be about as productive as you writing a blog post about how much you disagree with my comments.

[zmanian]

I could bug Marcy for an answer. I will do totally inadequate job of defending her analysis compared to her.

It seems relatively simple to read this passage in the following way:

Let's say a major car company decided to leave open a port with a remote code execution vulnerability on their cars.

Let's say this car company discovered this port was being exploited and informs the NSA of affected vehicles IMEI numbers, IP addresses etc.

Now let's say FTC/NTSB wanted to put together a case for punishing the car manufacturer for their poor security operations.

It seems perfectly reasonable for a lawyer to read the passage from CISA and claim the court couldn't use any disclosure to the government under like the number of affected vehicles(easily calculated from the threat information previously shared) in any determination of liability.

[tptacek]

Again: they can't be prosecuted for sharing, for monitoring, or for receipt of information. This is statutory language and the words matter.

If there's an authority under which Chrysler can be prosecuted for having vulnerabilities (spoiler: I don't believe there is), CISA doesn't change any of that. Certainly, there's no clear linkage between CISA sharing and a private actor's ability to sue Chrysler for torts emerging from vulnerabilities.

I don't even think there's a stretch reading of the statute that gets you where this blog post lands.

[newman314]

Because the government has NEVER demonstrated any behavior in deliberate (expanded) interpretation of the law to further their interests.

The lengths taken to interpret "torture" for instance. It used to be that we have a fairly logical, common sense interpretation of things but I think those days are gone. I mean, unlimited data should really mean unlimited data not subject to some arbritary cap or throttling .

[tptacek]

Non-falsifiable argument is non-falsifiable.

[newman314]

I wish your echo chamber of trust were true. Unfortunately, it's not.

[zmanian]

It is probably impossible for a lay person to understand how a court is likely to interpret statutory language. I prefer my analysis from folks who devote a substantial amount of time to it.

Marcy compares the CISA liability protections to the very similar Section 314(b) of the Patriot Act financial information sharing liability safe harbor.

It seems at least plausible that they will operate in a similar fashion if CISA becomes law.

https://www.emptywheel.net/2015/10/14/time-to-get-very-conce...

[tptacek]

But that statute has also never been used to shield vendors from lawsuit or prosecution for vulnerabilities!