
Despite privacy concerns, CISA bill poised for passage - lizmrush
http://america.aljazeera.com/articles/2015/10/26/despite-concerns-cybersecurity-bill-heads-to-vote.html
======
belak
There's an AMA on reddit right now with the EFF, Access, Fight for the Future,
FFTF, and Demand Progress about this.

[https://www.reddit.com/r/IAmA/comments/3qban2/oh_look_its_th...](https://www.reddit.com/r/IAmA/comments/3qban2/oh_look_its_that_cisa_surveillance_bill_again/)

Looks like it just started a few minutes ago, so no idea if it'll be useful,
or not.

~~~
tptacek
I'm never super happy with EFF's advocacy (I think they do good and important
legal and technical work but I'm almost always unhappy with how they represent
policy to the public).

I've been _uniformly_ discouraged by FFTF's advocacy, which I find goes way
past "misleading" into "straight up dishonest", such as their recent piece
that strongly suggested Facebook supported CISA (a fact not in evidence, for
whatever that's worth) because doing so would immunize them from privacy suits
for user data so long as they dumped all that user data to the USG. No reading
of CISA gets you to that.

Example from today's AMA is FFTF's claim that CISA "exempts itself from FOIA",
making it impossible to challenge in court: they're referring to Sec 4 (d) (4)
(b), which exempts from FOIA _individual shared indicators_ , which of course
must be the case, because indicators are things like compromised account names
and passwords. That's all the law exempts from disclosure.

~~~
zmanian
It is uncontroversial to state that corporations and special interest groups
frequently lobby in public for a position and in private against a position.
Frequently you know this only through un-attributable information passed to
you.

Advocacy organizations are not journalists. They don't need to cite their
sourcing before making claims they believe are true. The purpose of calling
out Facebook is an attempt force them to align their public and private
positions if they differ.

As usual, Marcy does excellent analysis about what information NSA will be
able to collect, analyze and disseminate under CISA.[1]

[1] [https://www.emptywheel.net/2015/10/26/two-intended-
consequen...](https://www.emptywheel.net/2015/10/26/two-intended-consequences-
cisa-supporters-will-be-responsible-for/)

~~~
tptacek
This is a blog post that makes two very broad claims:

1\. That Chrysler can exploit CISA to avoid liability for vulnerabilities in
their cars simply by sharing the flaws with the USG as an "indicator".

2\. That the USG can use CISA to collude with private companies to avoid
warrant requirements and spy on their customers.

Both of these points are, I think, false. I've linked upthread to the text of
the bill and provided a summary. In particular, I don't think the "Chrysler
reading" of the bill finds any support at all in the text; Chrysler is
immunized from suits _stemming from their own sharing_ , and even in the
sharing, they are explicitly on the hook for negligence and misconduct.

If it's helpful, here's the entire limitation of liability in CISA. Notice:
companies are exempt from liability for _monitoring_ , _sharing_ , and
_receipt_ of indicators. They aren't exempt from liability for having
vulnerabilities in the first place!

    
    
        6.Protection from liability
         
        (a) Monitoring of information systems 
         
        No cause of action shall lie or be maintained in any court against
        any private entity, and such action shall be promptly dismissed,
        for the monitoring of information systems and information under
        section 4(a) that is conducted in accordance with this Act.
         
        (b) Sharing or receipt of cyber threat
        indicators 
         
        No cause of action shall lie or be maintained in any court against
        any entity, and such action shall be promptly dismissed, for the
        sharing or receipt of cyber threat indicators or defensive
        measures under section 4(c) if—
         
        (1) such sharing or receipt is conducted in accordance with this
        Act; and
         
        (2) in a case in which a cyber threat indicator or defensive
        measure is shared with the Federal Government, the cyber threat
        indicator or defensive measure is shared in a manner that is
        consistent with section 5(c)(1)(B) and the sharing or receipt, as
        the case may be, occurs after the earlier of—
         
        (A) the date on which the interim policies and procedures are
        submitted to Congress under section 5(a)(1); or
         
        (B) the date that is 60 days after the date of the enactment of
        this Act.
         
        (c) Construction
         
        Nothing in this section shall be
        construed—
         
        (1)to require dismissal of a cause of action against an entity
        that has engaged in gross negligence or willful misconduct in the
        course of conducting activities authorized by this Act; or
         
        (2)to undermine or limit the availability of otherwise applicable
        common law or statutory defenses.

~~~
declan
I'm not sure why you were downvoted for a reasonable post citing original
sources (I upvoted you to try to correct that).

I expect I will disagree with you about the desirability of CISA, just as we
disagreed years ago about CISPA, but enjoy your posts on the topic
nevertheless. They make thoughtful and reasonable points. Even if you end up
on the wrong side. :)

~~~
tptacek
Just to be clear: CISA is bad. I oppose it.

~~~
ChrisAntaki
How many comments have you made expressing your opposition, versus painting
groups fighting CISA in a negative light?

~~~
tptacek
I'm not "painting" anyone. People say things that are misleading, wrong, or
outright dishonest. I point them out. I don't feel any need to justify that to
you.

~~~
ChrisAntaki
Well, wouldn't it be more productive to write your own blog post(s) on why
CISA should be opposed?

~~~
tptacek
It would be about as productive as you writing a blog post about how much you
disagree with my comments.

~~~
ChrisAntaki
CISA impacts more people, to say the least

------
orionblastar
I can't believe the number of times this bill has been voted down, only to
come back up for a vote again under a different bill or different name.

It is like they keep submitting bills until it gets passed. This not only is a
waste of time, it seems to be how the lobbyists get their bills passed.
Eventually one will get passed and then our privacy will no longer exist. If
you want our data, get a judge to order a search warrant. Otherwise it is
Unconstitutional.

~~~
dmfdmf
>If you want our data, get a judge to order a search warrant. Otherwise it is
Unconstitutional.

This is my position and nothing will move me from it because it is the
principled position. Moreover, the advocates of mass surveillance fail to
realize that even if their motives are as pure as the driven snow nevertheless
a mass surveillance system will attract sociopaths and psychopaths who survive
by preying on other human beings instead of creating value and trade. This is
exactly why we have a Constitution to limit the powers of government.

~~~
orionblastar
I fear a Police State where it is basically an 1984 type of society. Instead
of TV sets watching us, it is our smart phones. The only thing protecting us
from the Thought Police is the fact that our smart phones are encrypted so
that we can have privacy. Take away that encryption and let the Police or
anyone else have access to anyone's smart phone and there is no privacy and
you can be arrested for stuff you didn't do but might because some machine
learning algorithm says you might commit a crime. Sort of like the Minority
Report TV show were they stopped using precogs and went to a Hawkeye program
that uses ML to tell if someone is going to do a crime and has access to
everything in the public to tell.

------
jcrawfordor
One of the things that concerns me about this debacle is that ongoing CISA
controversy will eliminate the possibility of legislative support for
information sharing for good. I appreciate that there are privacy concerns in
CISA, however, it is very important to the security field that sharing of
intelligence indicators become more plainly safe from a legal perspective.

'Indicators' usually consist of information about external actors and
organizations that are relevant to intrusion detection, for example, the most
common types of indicators are domains used for C&C and hashes of malicious
files. It is difficult to construe a privacy violation from these types of
indicators. There are concerns about certain providers who may have indicators
relevant to their users - for example, some providers might share the names of
otherwise legitimate user accounts which have been compromised as these are
often used to send spam that ought to be blocked. However, in general, cyber
intel indicators do not involve sensitive information about users.

Right now a great deal of organizations are not participating in public or
private threat information sharing because of concerns over liability and
compliance, and this significantly impedes defense by letting threat actors
get away with infrastructure and tool reuse that ideally should reveal them.
These acts originated as an attempt to correct that. It looks alarmingly like
many advocacy organizations want to keep it this way for good.

I don't want to be painted as anti-privacy and I would say that I'm not, but
the principal goal of this legislation is not to send your data to the NSA,
it's to help me do my job. I hope that the internet community will have the
foresight to try to resolve the specific problems with current legislation,
and not to entirely prevent information sharing.

~~~
meowface
There is already a pretty large threat intelligence information sharing effort
in place through the ISAC system established by DHS:
[http://www.isaccouncil.org](http://www.isaccouncil.org)

These have seen widespread adoption by medium and large sized companies, and
are doing good work. Or at least the one I participate in is; I can't speak
for the other ISACs.

They have policies that facilitate information sharing without privacy or
liability issues.

There are definitely still a very large portion of organizations that are not
a member of any ISAC or similar information sharing group, though. I don't
know how much CISA may help with that.

~~~
jcrawfordor
You may find it meaningful that, in my interactions with several people
involved in operating ISACs, I have heard nothing but support for CISA. One
high-up individual in a well-known ISAC expressed a great deal of frustration
and said that opposition to CISA came only from people who had no idea what it
was indicators were. I don't think that it's quite that simple, but there's
certainly an element of that.

Much of the benefit of CISA is specifically in the area of information sharing
with the gov't, which has various initiatives like NCCIC that are falling flat
in a lot of ways. Of course the ISACs would like to be involved in this. CISA
is also seen as a way to get a lot more organizations to contribute to ISACs,
as well.

------
Laaw
Setting aside any hatred for the government and mistrust, how does Company A
share information with Company B (or the FBI) about how a hacker got into
their networks?

Is the concern that Google is going to hand over your browser history under
the guise of CISA?

~~~
tptacek
The law doesn't define how information is to be shared; it merely makes it
lawful for the sharing to happen, so long as it meets the conditions in the
statute.

This is pretty typical for bills in US Federal Law: Congress enacts a
relatively broad statute that establishes principles relied upon in a later
"rulemaking" process; the statute will delegate to specific agencies the
privilege of making those rules.

~~~
Laaw
If this law isn't enacted, then it will continue to be illegal for Company A
to share breach details with the government, or with each other.

Is this necessary to slow down the rate and severity of breaches? If so, what
should this law look like?

~~~
tptacek
I don't think the harm outweighs the limited good in this situation. I'm
negative on CISA. I was neutral on CISPA, which didn't have the law
enforcement investigative enhancements CISA has.

But I still don't think it's a big deal either way. Like, don't donate money
to prevent it from passing if this is the only donation you can make this
year.

------
tptacek
The actual text of CISA:

[https://www.govtrack.us/congress/bills/114/s754/text](https://www.govtrack.us/congress/bills/114/s754/text)

There are no amendments to CISA that I can find (CISPA collected quite a few
amendments, some of which were very relevant to HN, before the bill eventually
died).

I read CISA so you don't have to! (You still should). Here's a summary:

There are three particularly important defined concepts:

<<Sec. 2 (5) (A) "Threats">>, which means "unauthorized activity" that might
plausibly compromise confidentiality, integrity, or availability, but that
isn't either protected speech or a mere ToS violation.

<<Sec 2 (6) "Indicators">>, the most important concept in the bill, which is,
roughly: logs of recon activity, exploit techniques, vulnerability data,
account hijack techniques (I think this bill actually tries to capture the
notion of an XSS), bot C&Cs, damage reports on attacks, and anything else
related to security and not already prohibited by law.

<<Sec 2 (7) "Defensive measures">>, roughly, things that stop or monitor
attacks.

"Defensive measures" is a confusing concept in the bill. For awhile, it was
thought that CISA would authorize something akin to hack-back privilege for
private entities; it does not. Meanwhile, defensive measures are probably
_already_ lawfully shareable. Anyways, the bill allows you to share both
indicators and defenses.

The bill allows the USG to share indicators and defensive measures with
private entities, and vice versa.

So then:

Section 3 of the bill authorizes the USG to share stuff with private entities.
This isn't the part of the bill that concerns people (we all probably want
_more_ sharing from USG to private entities; for instance, that's what we're
saying every time we demand NSA fork over its zero-days).

Section 4 authorizes private entities to share with the USG. Here's what it
allows:

(a) You can monitor your own systems, or those of people who give you written
authorization, for any security purpose, notwithstanding any previous
limitation on monitoring. Even if ECPA or student records law says you
shouldn't monitor, if you're doing it to deal with security threats, you're
now allowed to.

(b) You can run your own defensive measures, or defensive measures on people
who give you written authorization. Ok then.

(c) You can share indicators and defenses with the USG, and receive them from
the USG so long as you comply with their sharing restrictions.

(d) You have to keep the data secure, you can't share it willy-nilly, and
before _you_ share anything, you have to (1) review it for PII and (2)
anonymize any PII you find.

Sec 4 (d) (4) has problematic language that allows, say, Facebook to provide
written authorization to the USG to prosecute based on shared indicators; in
theory, they can do this even if the prosecution they're going to launch isn't
related to a computer crime, but just happens to be illuminated by the
indicator Facebook shared. (But remember: Facebook can't share under CISA
unless they have a bona fide cybersecurity purpose for doing so).

Section 5 has a bunch of rulemaking authority in it, but buried in it is Sec 5
(d) (5) (a), which gives all the purposes FedGov is allowed to use indicators
for:

* any security purpose * attributing threats * determining whether threats are foreign * preventing immediate disaster/harm (iv) * stopping child sex trafficking (v) * stopping major felonies, espionage, trade secret theft (vi)

(iv), (v), and (vi) are major problems; these aren't cybersecurity purposes at
all, but rather a sort of "these crimes are so bad that we're allowed to
repurpose indicators to deal with them", which, maybe fair enough (except for
trade secret theft), but still, not OK that new investigative capabilities are
buried in the middle of a cybersecurity bill.

And that's it.

~~~
_delirium
I could be missing a further limitation, but doesn't Section 4(a) _de facto_
amount to a repeal of all other laws that limit monitoring? Yes, the exception
is limited to monitoring for a "security purpose", but a pretty broad range of
things can be justified as a "security purpose". I'm also skeptical that
courts will seriously second-guess companies' representations on that point.

~~~
tptacek
Yep, I called that section out for that reason. I'm not particularly worried
about it (I think this part of CISA mostly just clarifies something that was
already pretty much settled).

Companies aren't allowed to just make up "security purpose", though; under
CISA, they have to be monitoring for threats as construed in CISA, which
means, for instance, they can't find exemption for liability for monitoring
for mere ToS violations.

~~~
gknoy
Couldn't one collect logs of all things, under the auspices of collecting logs
that (may) contain "recon activity" and "exploits"? It seems on a surface
reading that one could collect all those under the umbrella of collecting
Indicators, and then also use it also for things like selling-to-advertisers
or other business-related things.

Of course, our terms of use on most sites already say they can collect +
monetize such things, so maybe this is moot.

~~~
tptacek
I'm not sure I see the part of CISA that allows you to sell your logs to
advertisers. I do see lots of places in the bill that allow sharing to other
private entities or to the USG for cybersecurity purposes.

~~~
ChrisAntaki
Sounds like a loophole.

~~~
tptacek
What specific part of the bill reads like a loophole that would allow Facebook
to sell its security logs to advertisers?

~~~
ChrisAntaki
I was just responding to what you'd said above:

> I do see lots of places in the bill that allow sharing to other private
> entities or to the USG for cybersecurity purposes.

~~~
tptacek
"For cybersecurity purposes".

It's a short bill. Read it again! These terms are defined, reasonably well.

------
mkhpalm
They write these articles as if the people of the United States have any say
in the matter...

~~~
Shivetya
it all starts with people not voting for who they are told to vote for. I am
quite sure that the majority here will vote for the candidate at the top of
the party that the donor class/establishment has decided wins. Just like the
Republican party establishment who fights against the Tea Party (for which the
media and establishment convinced many voters of both sides to mock them) the
Democratic party may be having its own similar moment with Sanders. Yet it
doesn't matter if you still vote for whom you are given regardless of your
personal choice.

Politics in the US cannot change until people simply say no. That means at
least voting for someone not from the big two or voting against your own party
to show them the lesson they need.

After all, how can your vote be wasted doing so when so many are convinced
their vote already doesn't matter?

------
grflynn
₋ Four Letter Acronyms do not a policy make

₋ The net is a-central and not dependent on a single facist org to run it

₋ Pirate utopias will crop up to subvert any such control mechanisms.

⸗ 4 letter acronyms by virtue of being over⁻arching make the net stronger by
way of streisand effect

~~~
anon4
It's somewhat ironic to think how "pirate" once meant someone who takes
everything you have and gives nothing back, but today a pirate is a very
generous individual who contributes their time and money, not to mention
risking personal safety, in order to give you free access to contemporary
culture.

------
sroussey
So just hack this one government system and get everyone's vulnerabilities.
Thanks for making it easy. Maybe someone will work as a contractor and post
them all somewhere.

------
mtgx
Once again we can thank Dianne Feinstein for this. How did she get re-elected
again? Was it gerrymandering or did her NSA buddies, which she keeps propping
up, hack the poorly secured voting machines?

~~~
tshtf
Feinstein is a senator. How could gerrymandering have anything to do with her
election?

~~~
snowwrestler
Have you seen the shape of California? I mean, it's implausible at best. :-)

But seriously, it's kind of fun to imagine what life would be like if U.S.
states were shaped like House districts. Maryland is probably the closest,
geometrically.

~~~
WildUtah
_Have you seen the shape of California?_

Did you know that Reno has been gerrymandered so far it's now west of Los
Angeles? That has to be some kind of conspiracy. Otherwise it would just be
impossible.

~~~
snowwrestler
California was stretched so far that it covers the full distance from the
lowest elevation in the lower 48 to the highest summit in the lower 48.

It was also shaped so that it encompassed the driest point in the U.S.--Death
Valley--and one of the wettest: 100 feet underwater below the Golden Gate
Bridge.

Also, if the state of California were its own country, it would be referred to
as the nation of California. True story.

