Hacker News new | ask | show | jobs
by deepblueocean 4811 days ago
Nah. It's bad. Here's a simple argument that covers just one part of the bill.

CISPA would give a safe harbor from other privacy rules to companies that share information with the government as long as that information is about "cyber threats". Now, let's say someone breaks into your database server and you're at a company with not-too-skilled IT people. The government shows up and says "hey, what can you tell us about the attack you experienced? PS - we'd be happy to analyze your data for you."

What do your IT people do? They say "screw it, we'll just send in all the logs we have and let the feds figure it out." And so they do that.

What if the law protects the information in those logs? What if the information is sensitive (like health or financial information) and is protected under a special privacy regime like HIPAA? Or what if the information is protected from disclosure by contract (like in a TOS/TOU document)? CISPA says that the disclosure is exempt from whatever sanctions/punishments would happen under those protection regimes because Cyber Threats Are Important (tm).

Disclosure: I am not a lawyer. Even after it's passed into law, only a court can decide exactly what the safe harbor in CISPA means.
1 comments
tptacek 4811 days ago
That is in fact more or less what the law allows firms to do: when their database is compromised, they are allowed to cooperate with other service providers and with law enforcement to track down what actually happened to their systems without spending $50,000 to ensure that they aren't violating, say, DPPA.
link
anoncow 4811 days ago
So that means, if the database contained emails, call records, or sms, The feds could read all of it.

That sounds like a security risk waiting to happen at your cell phone carrier and email service provider.

link
tptacek 4811 days ago
Sure. What's the alternative? What did you think happened when law enforcement investigated serious computer crimes? If a financial institution has a key database popped and the Secret Service is called in to investigate, was it your expectation that the victim was required to carefully anonymize and blind all the data in that database? How could any criminal investigation work if that was the requirement? (Cliff's Notes: That's not the requirement).

The bill as written, even before the narrowing amendments, acknowledges the risk this subthread discusses. It does that by trying to define "cyber threat information", as information directly implicated in an attack. In the sponsor's notes on the bill on the House site, they explain that the definition of "protected entity" was changed specifically to prevent individual people from being considered as entities, so that person-specific data couldn't be handed over under CISPA authority.

The basic problem the bill addresses is this: large companies are under continuous attack. Let's stipulate that attacks come in two flavors: DDOS and targeted malware.

In both cases, there is clear utility in allowing companies to collaborate with other companies and with the government.

In the DDOS case, you want to share NetFlow information with your upstream ISPs and with DDOS trackers, because those are the organizations that generate black-hole and IP filtering rules, and they all work better if they have lots of different vantage points to work from. At the very least, you want to push sources back up to your immediate upstream providers so they can soak them up on their infrastructure rather than saturating your uplinks.

In the malware case, you want to share forensic information that would help identify (a) the vulnerability the malware exploits, (b) the C&C system the malware is using, (c) any evidence of the source of the malware, and (d) forensic information that would help investigators discern the intent of the malware.

In both cases, your company's general counsel is apt to inform you that the legal risk of sharing just that information is potentially unbounded, because nobody can predict exactly what claims could be made under ECPA, SCA, DPPA, HIPAA, FERPA, &c; nobody even knows what traces of information, overt or statistical, might be lurking in NetFlow.

So the situation we have today is that there is information sharing when attacks happen, but much of it is sub rosa, and you have to be in the right clubs to get access to the right sharing networks.

It does not make intuitive sense to me that electronic privacy should mean that basic low-level systems information incident to a real attack should incur unbounded legal risk when shared with other companies directly involved in mitigating those attacks.

You might disagree, and that's fine. But the notion that CISPA is actually intended to allow NSA to read your email is just not supported by the language of the bill, by any advocacy for the bill, or by any of the bill's amendments, and the problem the bill is addressing is a real problem (I have some limited professional exposure to it).

link
declan 4811 days ago
One alternative is to limit CISPA to law enforcement receiving the information rather than the National Security Agency and other arms of the defense-intelligence apparatus. But that amendment failed by a 4-14 vote this week.

May I assume that you'll publicly oppose CISPA if it continues to advance without that amendment? :)

Also, regarding your claims that person-specific data can't be handed over, a separate amendment requiring that failed by a 4-16 vote. So it will be able to be shared with the NSA.

BTW, I'm not arguing that there are not real problems arising from attacks that large companies, and even smaller companies, face. The question is what to do about it, and whether CISPA remains the best vehicle.

link