[tptacek]

Or that you asked at 1:00AM.

Two responses, briefly:

1. FISMA spells out in positive terms that incident data collected by agencie is to be reported out to LEOs and the national security services unless otherwise designated by the President, and

2. much of the data we're discussing is classified, so, 18 U.S.C. § 798 is a starting point.

Do you dispute that, say, botnet identification data collected by DoD is classified? Do you have a source to suggest otherwise? I did network security product work at Pentagon with Arbor Networks and they were bananas about classification, operating an entire clone of their enterprise network to account for classification.

I find it interesting that you can publish an article that suggests CISPA is a backdoor attempt at warrantless wiretapping but accuse other people of handwaving.

[declan]

Now we're getting somewhere!

You're right, of course, that federal agencies have the power to classify data. But I think saying that overclassification happens all the time is not a controversial statement; President Obama in 2010 signed the Reducing Over-Classification Act and the DOD IG announced last November that it reviewing DOD classification procedures. One of the 9/11 Commission members concluded: "Much more information needs to be declassified. A great deal of information should never be classified at all."

So if the only reason we need CISPA is that DOD is inadvisedly classifying botnet data as SECRET, then a sensible fix is for DOD to declassify it. Or, that failing, Congress could amend 18 USC 798 to allow that to happen. Laws, like computer security, should follow the principle of least privilege, and enacting a broad wildcard law that overrides all federal and state laws to fix a narrow botnet-classification problem violates that principle.

Also: the primary criticism of CISPA is that it overrides all other state and federal laws in allowing the transfer of customer data from private companies to .gov, .mil and other organizations. You're defending .gov->.com data transfer, which is hand-wavingly orthogonal to an explanation of why a wildcard override for .com->.gov data transfer is necessary.

[tptacek]

I don't understand how your last graf connects to your first.

Start here: packet captures and netflow traces from operational military networks are a textbook definition of something that reasonably should default to "classified".

So then the fact that CISPA preempts classification is the mechanism by which it crafts the exception allowing that stuff to be published. The law says "you can keep classifying secops data on military networks, but when you come across material that would be valuable to the public if sent to a clearinghouse, CISPA preempts classification".

How is that not a sensible measure? And in context, isn't it clear that preempting things like classified disclosure laws is just a pragmatic measure, since reforming all of classification is a huge can of worms, and not some sinister attempt to create a backdoor wiretapping mechanism?