[daten]

I worry that most of the opposition to this bill is based on FUD that EFF is spreading. Having experience actually working in the security industry and knowing the limitations that this bill is trying to address, the ability of the government and private sector to work together to keep malicious groups out of their networks, I recognize the necessity and intentions of this bill.

This isn't about spying on Americans. This isn't SOPA with a new name. This isn't about stopping piracy or spying on your facebook profile. This bill is about letting government agencies share intelligence on network threats with private companies so those companies can protect their customers information. None of the agencies or companies involved want to share any private information about their citizens or customers. There are lots of lawyers involved in the process to ensure that doesn't happen.

I wonder if some of that exhaustion is also what leads people to not read the bill or understand the context and just assume it's another anti-piracy bill.

[Torgo]

I understand what you're saying, but when legislation is proposed I look at what it very easily could enable, not just what it's written to be for. When I look at what's being proposed I see that the government is using its sovereign power to trade away my right to civil suit against a company in event of a data loss, in exchange to that company for it handing over private information (that very well can include customer information) without a warrant. In big broad, abstract ways this is to my benefit if it improves "cyber security" but it also removes some specific rights I have.

"None of the agencies or companies involved want to share any private information about their citizens or customers." The telcos have monetized their lawful intercept programs and receive bad publicity protection from the government by being legally entitled to keep it a secret. They now have a profit motive and the risk of bad publicity is low. And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.

If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath. So if you want to blame somebody for the confusion start with the people proposing this legislation.

[tptacek]

You are not allowed to make arguments that are directly rebutted by the facts. There were drafts of CISPA that were published in which the assets protected by the bill (which defines attacks in terms of the familiar C.I.A. triad) included "IP", which would have included things like the source code to operating system drivers. But the bill that got voted on included a series of amendments, all published, that neutered that language because of exactly that concern.

CISPA is simply not about the interests of rightsholders.

[nitrogen]

CISPA is simply not about the interests of rightsholders.

The commenter to which you are replying did not make that assertion. The mention of IP was an attempt to identify the source of the confusion between cybersecurity and IP rights, not about CISPA specifically. Here's what the parent comment actually claimed:

When I look at what's being proposed I see that the government is using its sovereign power to trade away my right to civil suit against a company in event of a data loss, in exchange to that company for it handing over private information (that very well can include customer information) without a warrant. In big broad, abstract ways this is to my benefit if it improves "cyber security" but it also removes some specific rights I have....

And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.

Nothing about rightsholders in there.

[tptacek]

The bill is clearly not about rightsholders, so it is intellectually dishonest to suggest that there is a legitimate concern about power grabs by rightsholders in it. "I watch C-SPAN religiously and they're always talking about IP rights" is not a substitute for reading the bill.

[nitrogen]

The sentence you quote is referring to the confusion about the bill, not the bill itself. Again, the OP didn't claim that CISPA was about IP.

[tptacek]

I disagree, but I don't think this subthread is important enough to litigate. If he wants to chime in and say "I absolutely am not saying CISPA is part of a scheme that will increase the powers of rightsholders", I'll apologize for mischaracterizing him.

[likpok]

> If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath.

The trouble is that the effective, worthwhile and highly damaging cyberattacks all involve IP, in some way or another. There's not much value in taking down Coca-Cola's internal network. Stealing their M&A strategies or product roadmaps can be extremely lucrative/damaging (I recall seeing estimates that billions have been lost as a result).

[Torgo]

No they don't. I think it is extremely confusing to talk about theft of data at the same time as talking about someone hacking a nuclear power plant to go into meltdown or something. When people say things like "cyber pearl harbor" at that time they could be talking about a DDOS that makes it impossible to do online banking or they could be talking about an attack on SCADA systems at a power plant that takes out power for a city. It really drives me nuts because either everybody in government talking about it is a poor thinker or they are intentionally being vague.

[tptacek]

I have no idea what this comment is even trying to articulate. You suggest two kinds of "cyber attacks", one which cause power plants to malfunction and the other that attacks online banking. I am not sure what you think this distinction demonstrates about online security.

On the one hand, the attacks on power plants that you allude to are possible. Utilities have been networked and electronically controlled since the 1970s. Nobody builds networks on telephony or X.25 anymore; it's all IP. IP connectivity to insanely sensitive systems leaks routinely; moreover, application-level data sharing between Internet-connected systems and supposedly air-gapped backend systems is extremely common.

On the other hand, the "less serious" attacks you allude to are very very bad. Google and Hotmail aren't national utilities. But they are attacked by state actors because dissident organizations use them to communicate. For that matter, the Internet backbone is a collection of computers sharing information using a decades-old routing protocol for which policy is controlled by regular expressions.

Finally, if you run a startup and happen to say something I disagree with, such as "I think CISPA is a power grab by the content industry", I could today very easily push you off the Internet with a trivial DDoS attack. The people who extorted online casinos with DDoS botnets were not rocket surgeons. When I attack you for disagreeing me online, and you call your ISP, guess what you're going to hear? "You're on your own". It is always very weird for me to see people on Hacker News, a hub for online startup news, downplaying the severity of DOS attacks. I've spent a decent chunk of my career in DOS mitigation and it is not remotely a solved problem.

[Torgo]

I think the government has a legitimate interest in protecting against computer attacks on public infrastructure that could result in death, and I see a place in there for government involvement. To a lesser degree there is a legitimate interest for government regarding IP theft. But I think how the government is involved and what powers they have, are different for these two scenarios. I understand that they overlap. CISPA is going to give government a much expanded jurisdiction and I don't think the restrictions are fine-grained enough.

[declan]

You give EFF too much credit. The ACLU, the American Library Association, the Center for Democracy and Technology, the Competitive Enterprise Institute and the Liberty Coalition (both libertarian/conservative groups -- the latter includes Bob Barr and Grover Norquist's Americans for Tax Reform), Reporters Without Borders, etc. sent a letter yesterday to Congress opposing CISPA.

I'm not sure why you think the very smart lawyers and legislative counsel at the ACLU, the ALA, etc. are incapable of reaching their own conclusions about the relative merits of legislation.

I hope you're right that CISPA isn't about spying on Americans. The problem is that, as written, it allows precisely that, with the cooperation of the same companies that have opened their networks to the FedGov in the past. If the wildcard language trumping all state and federal privacy laws were deleted, I think a lot of the (informed) opposition would vanish.

BTW, there were "lots of lawyers involved in the process" of creating SOPA. Look how that turned out. I'd be far more comforted if there we had fewer lawyers and more technologists involved. :)

More: http://news.cnet.com/8301-31921_3-57422693-281/ and http://news.cnet.com/8301-13578_3-57574196-38/

[gojomo]

What are the current barriers to agencies sharing intelligence with private companies? Can you give an anonymized/abstract example, where the FBI/etc might have actionable info about a 'cyber threat', and under current law can't pick up the phone or send an email warning private companies?

[snowwrestler]

Primarily the barrier from government to company was that much of the valuable info was classified. The Obama executive order on cybersecurity created a mechanism to bypass this barrier that is similar to what was in CISPA.

So why pass CISPA now? To remove the barrier in the other direction, from company to government. Right now there are interpretations of certain federal laws that say that companies cannot share threat data with the government. In addition, public companies fear shareholder lawsuits if they were to disclose publicly that they have been hacked.

In an ideal world you would have a virtuous cycle, where one company stops a threat, sends the critical threat info the government, which shares it with every other company--all basically in real time. That would prevent, or at least reduce, the issue now where one exploit works again and again and again at different companies.

Whether it is possible to do this while adequately protecting privacy is the issue. I'm not a lawyer but it seems to me like it should be doable if the language in the bill is done right.

[AnthonyMouse]

>In an ideal world you would have a virtuous cycle, where one company stops a threat, sends the critical threat info the government, which shares it with every other company--all basically in real time.

But why does the government need the information at all? Why not have a private consortium of companies who share threat information under NDA (or, for that matter, just allow it to be published), and craft appropriate legislation to allow that?

[tptacek]

CISPA allows exactly that to happen! Any "Cyber security provider" can collect and share information (on a voluntary, opt-in basis) under the act. Moreover, the largest repository of threat information --- netflow traces, botnet identification, &c --- is housed inside the USG, which is prevented from sharing that information. That's the other problem CISPA solves.

Did you read the bill? I'm not asking in an accusatory way; I'm wondering where you got your information from, so I can read it too.

[AnthonyMouse]

>Did you read the bill?

Reading bills is usually a headache because they keep changing. Cue Pelosi's idiotic comment about having to pass the law so we can know what's in it. This one seems to be no exception: The original bill is talking about intellectual property, people complained about it, they removed that in later versions. EFF is complaining about how it doesn't put limits on what the federal government can do with the information, so they added some limits, but they're overly broad. (What does "national security" even mean? Because it's pretty plausible it's going to be read as "whatever the National Security Agency or Department of Homeland Security does with it.") I mean it's good that they're taking criticism into account and making modifications, but it seems like a really weird bill, and I think it's a good thing that it's getting a lot of scrutiny.

If you want me to go through it and complain about it, I can do that…

>CISPA allows exactly that to happen!

Not exactly. First of all, publication seems very much not to be the idea. Half the the bill is talking about security clearances and the like, and how if you get "cyber threat information" from the feds (presumably even if they got it from other private sector entities) then it could still be classified and you can't publish it. And I don't see anything in the bill about the information becoming automatically declassified once a patch is available, so that's not going to be good for full disclosure. Plus, if I get this super secret threat information, now how do I e.g. submit a patch to the Linux kernel or OpenSSH to address it without impermissibly letting the cat out of the bag? Have they thought this one through?

But my original point was not that private entities could share information too, the point was, why should we want the federal government to have it? There is a real concern that they would use vulnerability information to advance their stupid "cyberwar" nonsense and then accidentally loose the network equivalent of the black plague, or use vulnerabilities to spy on people and expand their warrantless surveillance of the world population. I can see why they might be able to use the information to patch their own systems, but I would be a lot happier to see a specific restriction that disallows anyone from using any information received under these provisions for offensive or surveillance purposes.

>Moreover, the largest repository of threat information --- netflow traces, botnet identification, &c --- is housed inside the USG, which is prevented from sharing that information. That's the other problem CISPA solves

I don't think that's the part people have a problem with. It's not the information coming out of the government (assuming it really is technical information and not anything that identifies individuals or impinges on privacy), rather it's the information going back into it to feed proto-Skynet.

But let's talk about some of the other crazy things.

1) It seems like a major part of the legislation is the grant of immunity for entities that share information. Which is a really very strange thing. Why do these entities need to be exempted from all state and federal laws? Can we not identify the specific ones that are problematic and then fix them? Certainly at least identifying them would be useful. I'm not really comfortable with the idea of exempting companies from prosecution for, say, polluting the water supply or murdering bystanders when they're reporting or responding to cybersecurity vulnerabilities. And if we can't even identify the laws we're concerned about, that seems like a problem more in need of our attention than this.

2) Why are individuals explicitly excluded from qualifying as "protected entities" or "self-protected entities" that would otherwise qualify them for the immunity provision? Are Microsoft and its employees for some reason more deserving of immunity than e.g. Moxie Marlinspike, or any random schmuck who finds and wants to report a security vulnerability?

3) There is a whole list of things under "protection of sensitive personal documents" like library circulation records and medical records. First of all, how is any of that sort of thing the sort of thing that should qualify for this in the first place? But never mind that. If those things would otherwise qualify, shouldn't we then be concerned about a lot of other stuff that isn't on the list, like browsing history, search history, financial records, purchasing history, location data, etc.?

4) The section on liability for wrongful disclosure by the federal government is pretty extreme. I'm not happy with it as a taxpayer. So if the federal government screws up (it's been known to happen) and releases a vulnerability e.g. in some financial software that causes a trillion dollars in damages to other countries, the U.S. taxpayer is on the hook for that to any person adversely affected, not because they had any responsibility for the vulnerability but only because the government disclosed it? No thank you. How about instead we put some some personal liability on the government employee(s) who actually made the wrongful disclosure.

5) The bill does a lot of talking about the U.S. federal government and not a lot of talking about state governments or foreign governments. It looks like they may qualify as entities however, and if they don't then that's weird (because what if I want to share threat information with my city or state or Canada or something?). But then we're exempting state governments and foreign governments from all state and federal laws for "decisions made based on cyber threat information identified, obtained, or shared under this section"? What???

This is where I reiterate my concern that we're exempting them from laws against things like murder, kidnapping, wiretapping, espionage, terrorism, etc. Granted the exemption requires acting in "good faith" -- but that's putting a lot of work behind two fuzzy words.

The whole immunity thing seems like a huge kludge that doesn't address the underlying problem, which is really the Aaron Swartz problem. Some laws are unnecessarily complicated, overly broad or poorly drafted such that liability under them is arbitrary and unreasonable, but instead of carefully fixing the bad laws individually, we just throw them all away in this one specific case and let anyone else subjected to their continuing insanity fend for themselves.

[tptacek]

Wow. Ok. Let me take a shot at this.

* Bills start as draft language. The draft is circulated so that organizations like ACLU can point out things like "this bill gives too much deference to content rightsholders". The bill's authors then say, "that's not at all the intent of the bill" and then fix the language. It is very weird to complain about this, since it's the system actually working in the public interest. So, sorry, you're going to have to keep reading the bill. Also: CISPA is tiny. You can read it inside of 5 minutes. It isn't PPACA, the bill Pelosi commented on.

* I don't think software vulnerabilities are the best or most likely example of information that will be shared from the USG to the private sector under CISPA, but to the extent it is, you can simply assume that a (say) OpenSSH bug disclosed under CISPA to (say) Facebook is going to be patched immediately. I am a vulnerability researcher; that's my profession. It is a near-consensus among vulnerability researchers that the sooner vulnerability data is published, the safer we all are. I find it difficult to be concerned that CISPA might get OpenSSL flaws published faster. If that happens, great.

* If organizations don't want to share vulnerability information with the USG, they don't have to. CISPA is entirely opt-in. Moreover: vulnerabilities are a bad example of information CISPA enables sharing for. Companies can already lawfully share vulnerabilities with the USG. There is a whole cottage industry of small companies that sell vulnerabilities to the intelligence services. To the extent that your concerns about CISPA involve trafficking in privacy-harming exploit code (a very legitimate concern in general), you are (respectfully) ill informed about the current state of cybersecurity regulation.

* The reason CISPA preempts existing privacy laws and provides protection from liability is because there are lots of different privacy regulations on the books that make it difficult for companies operating in certain verticals to share any data without expensive legal review. If you deal with classroom data, you've got FERPA. If you have driver records, you have DPPA. CISPA does not repeal DPPA or HIPAA or FERPA; instead, it simply says that as long as companies are dealing in good faith with attack data --- "cyber threat information", a term the bill goes to some lengths to define --- they can reasonably assume they won't get sued for violating HIPAA by sharing that attack data.

* Individuals are exempted as private entities to protect individual privacy. The intent of that definition as stated by the bill's authors was to prevent CISPA from being interpreted as a mechanism for ISPs and the USG to enter into agreements to track individual customers. See "Myths and Facts About CISPA" at the House Intelligence Committee page. So: you have that concern exactly backwards.

* I don't have any response to your concern that the USG should not be liable for negligence in publishing sensitive data. I see it as a good thing that the bill creates accountability for the handling of the data, and wish there was more accountability in the bill, not less.

There are other questions in your comment that I didn't address because I didn't understand them, sorry.