[Torgo]

I understand what you're saying, but when legislation is proposed I look at what it very easily could enable, not just what it's written to be for. When I look at what's being proposed I see that the government is using its sovereign power to trade away my right to civil suit against a company in event of a data loss, in exchange to that company for it handing over private information (that very well can include customer information) without a warrant. In big broad, abstract ways this is to my benefit if it improves "cyber security" but it also removes some specific rights I have.

"None of the agencies or companies involved want to share any private information about their citizens or customers." The telcos have monetized their lawful intercept programs and receive bad publicity protection from the government by being legally entitled to keep it a secret. They now have a profit motive and the risk of bad publicity is low. And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.

If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath. So if you want to blame somebody for the confusion start with the people proposing this legislation.

[tptacek]

You are not allowed to make arguments that are directly rebutted by the facts. There were drafts of CISPA that were published in which the assets protected by the bill (which defines attacks in terms of the familiar C.I.A. triad) included "IP", which would have included things like the source code to operating system drivers. But the bill that got voted on included a series of amendments, all published, that neutered that language because of exactly that concern.

CISPA is simply not about the interests of rightsholders.

[nitrogen]

CISPA is simply not about the interests of rightsholders.

The commenter to which you are replying did not make that assertion. The mention of IP was an attempt to identify the source of the confusion between cybersecurity and IP rights, not about CISPA specifically. Here's what the parent comment actually claimed:

When I look at what's being proposed I see that the government is using its sovereign power to trade away my right to civil suit against a company in event of a data loss, in exchange to that company for it handing over private information (that very well can include customer information) without a warrant. In big broad, abstract ways this is to my benefit if it improves "cyber security" but it also removes some specific rights I have....

And the civil liability immunity agreement (as I understand it) in CISPA will effectively act as a giant gift that only a sovereign power can grant, we'll offer you protection from being sued if you just hand over business data without a warrant.

Nothing about rightsholders in there.

[tptacek]

The bill is clearly not about rightsholders, so it is intellectually dishonest to suggest that there is a legitimate concern about power grabs by rightsholders in it. "I watch C-SPAN religiously and they're always talking about IP rights" is not a substitute for reading the bill.

[nitrogen]

The sentence you quote is referring to the confusion about the bill, not the bill itself. Again, the OP didn't claim that CISPA was about IP.

[tptacek]

I disagree, but I don't think this subthread is important enough to litigate. If he wants to chime in and say "I absolutely am not saying CISPA is part of a scheme that will increase the powers of rightsholders", I'll apologize for mischaracterizing him.

[Torgo]

I absolutely am not saying CISPA is part of a scheme that will increase the powers of "rightsholders." I don't see that in there. I was referring to the "spying" claim of the parent post of my first response.

My concern is with limiting of my right to civil suit against a corporation, and my fear that the bartering of these rights for information bypasses legal constraints on information collecting by government and law enforcement.

[likpok]

> If you want to talk about confusing, I watch C-SPAN constantly (it's an illness) and whenever anybody in the legislative or executive branch talks about "cyber security" they always talk about IP protection and "preventing a cyber pearl harbor" in the same breath.

The trouble is that the effective, worthwhile and highly damaging cyberattacks all involve IP, in some way or another. There's not much value in taking down Coca-Cola's internal network. Stealing their M&A strategies or product roadmaps can be extremely lucrative/damaging (I recall seeing estimates that billions have been lost as a result).

[Torgo]

No they don't. I think it is extremely confusing to talk about theft of data at the same time as talking about someone hacking a nuclear power plant to go into meltdown or something. When people say things like "cyber pearl harbor" at that time they could be talking about a DDOS that makes it impossible to do online banking or they could be talking about an attack on SCADA systems at a power plant that takes out power for a city. It really drives me nuts because either everybody in government talking about it is a poor thinker or they are intentionally being vague.

[tptacek]

I have no idea what this comment is even trying to articulate. You suggest two kinds of "cyber attacks", one which cause power plants to malfunction and the other that attacks online banking. I am not sure what you think this distinction demonstrates about online security.

On the one hand, the attacks on power plants that you allude to are possible. Utilities have been networked and electronically controlled since the 1970s. Nobody builds networks on telephony or X.25 anymore; it's all IP. IP connectivity to insanely sensitive systems leaks routinely; moreover, application-level data sharing between Internet-connected systems and supposedly air-gapped backend systems is extremely common.

On the other hand, the "less serious" attacks you allude to are very very bad. Google and Hotmail aren't national utilities. But they are attacked by state actors because dissident organizations use them to communicate. For that matter, the Internet backbone is a collection of computers sharing information using a decades-old routing protocol for which policy is controlled by regular expressions.

Finally, if you run a startup and happen to say something I disagree with, such as "I think CISPA is a power grab by the content industry", I could today very easily push you off the Internet with a trivial DDoS attack. The people who extorted online casinos with DDoS botnets were not rocket surgeons. When I attack you for disagreeing me online, and you call your ISP, guess what you're going to hear? "You're on your own". It is always very weird for me to see people on Hacker News, a hub for online startup news, downplaying the severity of DOS attacks. I've spent a decent chunk of my career in DOS mitigation and it is not remotely a solved problem.

[Torgo]

I think the government has a legitimate interest in protecting against computer attacks on public infrastructure that could result in death, and I see a place in there for government involvement. To a lesser degree there is a legitimate interest for government regarding IP theft. But I think how the government is involved and what powers they have, are different for these two scenarios. I understand that they overlap. CISPA is going to give government a much expanded jurisdiction and I don't think the restrictions are fine-grained enough.