The Tech Industry Worries CISA Will Allow Other Companies to Damage Their Infrastructure
The Computer and Communications Industry Association — a trade organization that represents Internet, social media, and even some telecom companies — came out yesterday against the Cyber Intelligence Sharing Act, an information sharing bill that not only wouldn’t be very useful in protecting against hacking, but might have really dangerous unintended consequences, such as gutting regulatory authority over network security negligence (though the Chamber of Commerce, this bill’s biggest backer, may not consider it an unintended consequence).
Most coverage of this decision emphasizes CCIA’s concern about the bill’s danger to privacy.
CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government.
But I’m far more interested in CCIA’s stated concern that the bill, in authorizing defensive measures, would permit actions that would damage the Internet’s infrastructure (to which a number of these companies contribute).
In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties.
[snip]
But such a system … must not enable activities that might actively destabilize the infrastructure the bill aims to protect.
At least some of these companies that make up our Internet ecosystem think that some other companies, in aggressively pursuing perceived intruders to their systems, will do real damage to Internet as a whole.
It seems like a worthy concern. And yet the Senate runs headlong towards passing this bill anyway.
http://www.wired.com/2015/03/cisa-cybersecurity-bill-advances-despite-privacy-critiques/
“… In an interview on Bloomberg TV following the vote, intelligence committee chairman Richard Burr said that some of those newly adopted amendments were designed to prevent users’ information from being shared with government agencies. “We don’t want them to send personal data to the federal government, unless it’s absolutely crucial to show the cyberattack. So we bar them from providing that data to the federal government,” Burr said. “If it finds its way to the federal government, though, once we distribute it in real time and we realize there’s personal information, any company that discovers it has to remove it or minimize it in a way that it can’t be shared anywhere else.”
i love congressgoober burr’s line “… once we distribute it … and we realize …, any company that discovers it … has to minimize it … [so] it can’t be shared elsewhere.”
this thoughtful approach is known as when the horse is out of the barn, scout’s honor privacy protection.
http://www.salon.com/2015/10/15/why_congress_is_about_to_make_it_way_harder_to_protect_your_personal_data/
” … Government and some private sector industries started sharing information without such a bill. And it became clear — when China snuck into government databases and stole the security clearance information from 21 million government employees and contractors — that the government is still unable to keep even its most sensitive data secret…
In short, during the years Congress has been trying to pass the bill, it has become increasingly clear how pointless it would be to protect against hacks this way and how much more urgent other efforts to combat hackers are…”
orionATL on October 16, 2015 at 10:54 am
this cisa thing makes no sense. how does gov protect computer systems, or is it computer system data/documents content, … ?
[perhaps] cisa represents a disguised intent … the doj-u.s.gov equivalent of the chinese hacking of opm, etc., but legal don’t you know, no phishing required :)
it would be non-spying spying – using computer security as a foil to continue spying on individuals without all the bad press, rather like the prior doj use of revulsion generated by child-pornography as the foil for introducing spying and other constitutionally questionable police/legal tactics.
but suppose it were on its face a sincere effort at protection. so you have millions upon millions of documents. what themn? how could this approach be effective? what will be done with these records? where will they be stored? who, specifically wii analyze them? fbi? contractors? nsa?
all-in-all a baffling, suspicious effort at computer security… ”
one question about details of implementation – are the data/documents which are selected for sharing shared between companies and gov, with a copy going to private entities and another (identical ?) going to gov entities?
and a second question, really more important: why is it not computer systems that are to be protected? why is it not solely computer systems’ security data that is to be shared between corporations (and with gov) rather than customer data/documents?
Is there documentation on the destabilization threat the bill poses? That would seem to be the threat that the methods in the bill “might cause collateral harm.”
I can understand the civil liberties concerns. But the bill authorizes non-governmental “entities” to deploy defensive measures on their own systems or with prior written permission on other systems. What is the perceived harm in this process? (Question is factual, not rhetorical.)
I’m not sure but that all builds from terms of service (for us), so for example, if a Google or Facebook user were deemed trouble, their ISP might, via dint of terms of services, be able to access their account or otherwise intervene, which might in turn do damage to those services.
I’m just beginning to think about that, though.
Also remember there’s an OLC memo that Ron Wyden keeps trying to get liberated that pertains to this issue somehow.
i just don’t understand this stuff; i dont trust this stuff; it seems so simple.
i see discussion of technical concerns, but i haven’t seen any discussion of cisa-authorized legal cudgels which could be used against political activists. the current republican party, nationwide, at all levels, is focused on repressing opposition political expression.
let’s say i am an unrepentant quaker peace organization organization. i dont have much money and the internet is a cheap postal system for me. if i were to broadcast 500,000 of my broadsides could i be accused of say a dos attack on my isp provider (who dissaproves of my views) or other cisa-facilitated charges? i’m thinking of rico and material support laws.
cisa –
about any concerns cisa could be used to legitimize surreptitious suppression of political action thru spying (including thru pressuring a corporation, including isp’s):
(obligatory disclosure – of course all of this has been covered manty times over at the emptywheel weblog.)
http://www.wired.com/2015/03/cisa-security-bill-gets-f-security-spying/:
[ … a coalition of dozens of non-profits and cybersecurity experts criticiz[ed] the bill in an open letter earlier this month. “None of the [privacy-related] points we raised in our coalition letter to the committee was effectively addressed.”
… The bill, as worded, lets a private company share with the Department of Homeland Security any information construed as a cybersecurity threat “notwithstanding any other provision of law.” That means CISA trumps privacy laws like the Electronic Communication Privacy Act of 1986 and the Privacy Act of 1974, which restrict eavesdropping and sharing of users’ communications. And once the DHS obtains the information, it would automatically be shared with the NSA, the Department of Defense (including Cyber Command), and the Office of the Director of National Intelligence. …]
so, if you are a deeply committed environmental group (of the sort the fbi has harrassed, illegally, for years) perhaps your isp provider or credit card company could be “persuaded” to file a complaint with dhs.
this, i suspect, is the essence of cisa. this is why chairman burr in particular would be happy with the product and why a 31-year-old committee employee would have been in charge of writing the bill.
S.754 – Cybersecurity Information Sharing Act of 2015
https://www.congress.gov/bill/114th-congress/senate-bill/754/text
– the cisa legislation has been written by, and is being presented to the senate by, the ssci, the senate select committee on intelligence.
– this special committee was created in the 1970’s to oversee the conduct and operations of american secret intelligence gathering and covert action organizations, especially the cia, following disclosures of improper conduct.
– there are standing committees in the senate, e.g., judiciary, argiculture, finance, whose job it is to create legislation as needed. one might ask why a special committee whose authorized task is oversight is alllowed to generate legislation? in particular with cisa, to generate legislation that facilitates government spying in a new way – private spying for the government?
– with cisa we have the spectacle of a special senate committee whose job is to keep close tabs on government intelligence gathering acting instead to faciitate a new kind of spying by the agencies it oversees.
– the new kind of spying created by the cisa (and usa freedom) involves having corporations do the spying for the government by voluntarily turning over customer records to government agencies, including the national security agency. with the cisa, those records will first be filtered thru the dept of homeland security.
– this new, out-in-the-open, private-public-cooperation spying created by usa freedom act and cisa replaces the surreptitious spying revealed by edward snowden.
– both bills use the carrot and stick approach. in usa freedom, communications corporations will be paid for their work and open to judicial sanction if uncooperative. in the cisa, providing records to other business corporations and the dhs will free a corporation from some legal liabilities including suits by govetnment oversight agencies :)
– on the private side of the cisa discussion we have debate supporting the act (chamber of commerce) and tech companies opposing the act, the point of this emptywheel article.
– but on the government side – silence. i have not read any negative concerns by government officials either national security ghetto types or everyday executive branch/political administrators. apparently the executive branch thinks well of cisa, perhaps because it will get the for-gods-sake-do-something monkey off the administration’s back.
– so we end up once again, with pointless, ineffective legislative action undertaken to please and protect rather than to solve a problem. that problem, the nationwide computer systems security problem, has not been made to vanish by a wave of the legislative wand.