[AnthonyMouse]

>In an ideal world you would have a virtuous cycle, where one company stops a threat, sends the critical threat info the government, which shares it with every other company--all basically in real time.

But why does the government need the information at all? Why not have a private consortium of companies who share threat information under NDA (or, for that matter, just allow it to be published), and craft appropriate legislation to allow that?

[tptacek]

CISPA allows exactly that to happen! Any "Cyber security provider" can collect and share information (on a voluntary, opt-in basis) under the act. Moreover, the largest repository of threat information --- netflow traces, botnet identification, &c --- is housed inside the USG, which is prevented from sharing that information. That's the other problem CISPA solves.

Did you read the bill? I'm not asking in an accusatory way; I'm wondering where you got your information from, so I can read it too.

[AnthonyMouse]

>Did you read the bill?

Reading bills is usually a headache because they keep changing. Cue Pelosi's idiotic comment about having to pass the law so we can know what's in it. This one seems to be no exception: The original bill is talking about intellectual property, people complained about it, they removed that in later versions. EFF is complaining about how it doesn't put limits on what the federal government can do with the information, so they added some limits, but they're overly broad. (What does "national security" even mean? Because it's pretty plausible it's going to be read as "whatever the National Security Agency or Department of Homeland Security does with it.") I mean it's good that they're taking criticism into account and making modifications, but it seems like a really weird bill, and I think it's a good thing that it's getting a lot of scrutiny.

If you want me to go through it and complain about it, I can do that…

>CISPA allows exactly that to happen!

Not exactly. First of all, publication seems very much not to be the idea. Half the the bill is talking about security clearances and the like, and how if you get "cyber threat information" from the feds (presumably even if they got it from other private sector entities) then it could still be classified and you can't publish it. And I don't see anything in the bill about the information becoming automatically declassified once a patch is available, so that's not going to be good for full disclosure. Plus, if I get this super secret threat information, now how do I e.g. submit a patch to the Linux kernel or OpenSSH to address it without impermissibly letting the cat out of the bag? Have they thought this one through?

But my original point was not that private entities could share information too, the point was, why should we want the federal government to have it? There is a real concern that they would use vulnerability information to advance their stupid "cyberwar" nonsense and then accidentally loose the network equivalent of the black plague, or use vulnerabilities to spy on people and expand their warrantless surveillance of the world population. I can see why they might be able to use the information to patch their own systems, but I would be a lot happier to see a specific restriction that disallows anyone from using any information received under these provisions for offensive or surveillance purposes.

>Moreover, the largest repository of threat information --- netflow traces, botnet identification, &c --- is housed inside the USG, which is prevented from sharing that information. That's the other problem CISPA solves

I don't think that's the part people have a problem with. It's not the information coming out of the government (assuming it really is technical information and not anything that identifies individuals or impinges on privacy), rather it's the information going back into it to feed proto-Skynet.

But let's talk about some of the other crazy things.

1) It seems like a major part of the legislation is the grant of immunity for entities that share information. Which is a really very strange thing. Why do these entities need to be exempted from all state and federal laws? Can we not identify the specific ones that are problematic and then fix them? Certainly at least identifying them would be useful. I'm not really comfortable with the idea of exempting companies from prosecution for, say, polluting the water supply or murdering bystanders when they're reporting or responding to cybersecurity vulnerabilities. And if we can't even identify the laws we're concerned about, that seems like a problem more in need of our attention than this.

2) Why are individuals explicitly excluded from qualifying as "protected entities" or "self-protected entities" that would otherwise qualify them for the immunity provision? Are Microsoft and its employees for some reason more deserving of immunity than e.g. Moxie Marlinspike, or any random schmuck who finds and wants to report a security vulnerability?

3) There is a whole list of things under "protection of sensitive personal documents" like library circulation records and medical records. First of all, how is any of that sort of thing the sort of thing that should qualify for this in the first place? But never mind that. If those things would otherwise qualify, shouldn't we then be concerned about a lot of other stuff that isn't on the list, like browsing history, search history, financial records, purchasing history, location data, etc.?

4) The section on liability for wrongful disclosure by the federal government is pretty extreme. I'm not happy with it as a taxpayer. So if the federal government screws up (it's been known to happen) and releases a vulnerability e.g. in some financial software that causes a trillion dollars in damages to other countries, the U.S. taxpayer is on the hook for that to any person adversely affected, not because they had any responsibility for the vulnerability but only because the government disclosed it? No thank you. How about instead we put some some personal liability on the government employee(s) who actually made the wrongful disclosure.

5) The bill does a lot of talking about the U.S. federal government and not a lot of talking about state governments or foreign governments. It looks like they may qualify as entities however, and if they don't then that's weird (because what if I want to share threat information with my city or state or Canada or something?). But then we're exempting state governments and foreign governments from all state and federal laws for "decisions made based on cyber threat information identified, obtained, or shared under this section"? What???

This is where I reiterate my concern that we're exempting them from laws against things like murder, kidnapping, wiretapping, espionage, terrorism, etc. Granted the exemption requires acting in "good faith" -- but that's putting a lot of work behind two fuzzy words.

The whole immunity thing seems like a huge kludge that doesn't address the underlying problem, which is really the Aaron Swartz problem. Some laws are unnecessarily complicated, overly broad or poorly drafted such that liability under them is arbitrary and unreasonable, but instead of carefully fixing the bad laws individually, we just throw them all away in this one specific case and let anyone else subjected to their continuing insanity fend for themselves.

[tptacek]

Wow. Ok. Let me take a shot at this.

* Bills start as draft language. The draft is circulated so that organizations like ACLU can point out things like "this bill gives too much deference to content rightsholders". The bill's authors then say, "that's not at all the intent of the bill" and then fix the language. It is very weird to complain about this, since it's the system actually working in the public interest. So, sorry, you're going to have to keep reading the bill. Also: CISPA is tiny. You can read it inside of 5 minutes. It isn't PPACA, the bill Pelosi commented on.

* I don't think software vulnerabilities are the best or most likely example of information that will be shared from the USG to the private sector under CISPA, but to the extent it is, you can simply assume that a (say) OpenSSH bug disclosed under CISPA to (say) Facebook is going to be patched immediately. I am a vulnerability researcher; that's my profession. It is a near-consensus among vulnerability researchers that the sooner vulnerability data is published, the safer we all are. I find it difficult to be concerned that CISPA might get OpenSSL flaws published faster. If that happens, great.

* If organizations don't want to share vulnerability information with the USG, they don't have to. CISPA is entirely opt-in. Moreover: vulnerabilities are a bad example of information CISPA enables sharing for. Companies can already lawfully share vulnerabilities with the USG. There is a whole cottage industry of small companies that sell vulnerabilities to the intelligence services. To the extent that your concerns about CISPA involve trafficking in privacy-harming exploit code (a very legitimate concern in general), you are (respectfully) ill informed about the current state of cybersecurity regulation.

* The reason CISPA preempts existing privacy laws and provides protection from liability is because there are lots of different privacy regulations on the books that make it difficult for companies operating in certain verticals to share any data without expensive legal review. If you deal with classroom data, you've got FERPA. If you have driver records, you have DPPA. CISPA does not repeal DPPA or HIPAA or FERPA; instead, it simply says that as long as companies are dealing in good faith with attack data --- "cyber threat information", a term the bill goes to some lengths to define --- they can reasonably assume they won't get sued for violating HIPAA by sharing that attack data.

* Individuals are exempted as private entities to protect individual privacy. The intent of that definition as stated by the bill's authors was to prevent CISPA from being interpreted as a mechanism for ISPs and the USG to enter into agreements to track individual customers. See "Myths and Facts About CISPA" at the House Intelligence Committee page. So: you have that concern exactly backwards.

* I don't have any response to your concern that the USG should not be liable for negligence in publishing sensitive data. I see it as a good thing that the bill creates accountability for the handling of the data, and wish there was more accountability in the bill, not less.

There are other questions in your comment that I didn't address because I didn't understand them, sorry.