
Obama Signs CISA Bill into Law - benevol
http://www.npr.org/sections/thetwo-way/2015/12/18/460281572/congress-sends-1-8-trillion-tax-and-spending-bill-to-president-obama
======
tptacek
CISA passed the Senate with almost 3:1 bipartisan support in October.

PCNA, the House's (worse) version of CISA, passed with similar margins in
April.

Obama has publicly supported the bill all year.

As much as HN and Twitter wants to believe CISA was enacted in some shady
backroom deal, the process that actually occurred, including publicly
available amendments and months-long review, is pretty close to "Schoolhouse
Rocks".

The debate on CISA was over. Thankfully. The only debate left was how close
CISA would come to PCNA, with its broader law enforcement ties and vaguer
language (EFF claims PCNA would have in some cases authorized large private
companies to "hack back" computers they believed had been trying to hack
them). Instead, Senate's CISA is the law of land almost verbatim to what they
passed --- in a drawn out, public process --- in October.

 _Later:_

Someone downthread asked for a summary of the bill. I did my best to strip the
legalese out of it:

[https://news.ycombinator.com/item?id=10763827](https://news.ycombinator.com/item?id=10763827)

~~~
randomname2
The 14 votes against, FWIW:

    
    
        Baldwin (D-WI)
        Booker (D-NJ)
        Brown (D-OH)
        Coons (D-DE)
        Franken (D-MN)
        Leahy (D-VT)
        Markey (D-MA)
        Menendez (D-NJ)
        Merkley (D-OR)
        Paul (R-KY)
        Sanders (I-VT)
        Udall (D-NM)
        Warren (D-MA)
        Wyden (D-OR)
    

[https://www.techdirt.com/articles/20151022/10133932597/cisa-...](https://www.techdirt.com/articles/20151022/10133932597/cisa-
moves-forward-these-83-senators-just-voted-to-expand-surveillance.shtml)

~~~
herbig
I'm a very liberal persion, but I really like Rand Paul. I just wish he didn't
think gays were going to burn in hell for all eternity, or at least would
stick to libertarian principles on the issue and let people live how they want
to live.

The same with abortion laws. I'd be way more into supporting him if he would
concede he doesn't agree personally, but that people shouldn't be forced by
the government to live according to his religious beliefs.

~~~
spo81rty
I've always felt that was how Paul believed. He thinks marriage is between a
man and a woman but doesn't think the government should be involved in
defining it.

~~~
agildehaus
He's open to letting state government define it. I'd say that's something
everyone who is for gay rights should be against.

~~~
mattlutze
State governments deciding is what led to federal Supreme Court action.

The states-as-testing-grounds concept has always felt pretty reasonable. Some
will make objectively bad choices, but the right choices will eventually will
themselves out.

The folks fighting for gay rights had to go state-to-state because there was
no traction in federal legislature to get changes made.

------
randomname2
How this happened [1]:

In a late-night session of Congress, House Speaker Paul Ryan announced a new
version of the “omnibus” bill, a massive piece of legislation that deals with
much of the federal government’s funding. It now includes a version of CISA as
well. Lumping CISA in with the omnibus bill further reduces any chance for
debate over its surveillance-friendly provisions, or a White House veto. And
the latest version actually chips away even further at the remaining personal
information protections that privacy advocates had fought for in the version
of the bill that passed the Senate.

Snowden's comment on this:

Shameful: @Facebook secretly backing Senate's zombie #CISA surveillance bill
while publicly pretending to oppose it.
[https://t.co/du7RK7V1WJ](https://t.co/du7RK7V1WJ) — Edward Snowden (@Snowden)
October 25, 2015

[1] [http://www.wired.com/2015/12/congress-slips-cisa-into-
omnibu...](http://www.wired.com/2015/12/congress-slips-cisa-into-omnibus-bill-
thats-sure-to-pass/)

~~~
nakedrobot2
Can someone explain why/how the CISA portion of the bill can or can't be
removed later?

~~~
jessriedel
What are you asking exactly? In order to be attached to the bill, the
amendment must be approved by a majority of the chamber. So that means it's
already garnered support from congress, and congress is unlikely to take it
off again before voting on the bill as a whole. Once it passes congress, the
only way for it to be defeated would be for the president to veto the enormous
budget bill based only on the amendment, which he is very unlikely to do (even
if he did disapprove of CISA, which I don't think he does).

~~~
natch
I think he means, while they approved the bill, warts and all, that doesn't
mean everybody likes all the warts. (Although it is congress, so we have to
assume they DO like warts... but let's put that aside). He's asking if they
can come back and remove some of the warts, essentially, in a separate action
at a later time.

~~~
jessriedel
But a majority of congress _did_ like the wart. That's why the amendment
adding the CISA text to the omnibus bill passed, and that's while it's very
unlikely to be repealed later.

(Of course it's possible to repeal it later, as is true for all laws; they
didn't pass a constitutional amendment.)

The public-choice situation as I understand it is that CISA was a bill that
concentrated interests (large tech companies) liked but which the public as a
whole did not like (insofar as they bothered to know about it). The key to
passing such a bill is to minimize publicity and bundle it with a distraction.

~~~
tptacek
Both CISA and PCNA passed with large amounts of publicity and long review
periods.

~~~
jessriedel
OK, I don't necessarily disagree, but why tack CISA onto the omnibus budget
bill if not to avoid publicity? There was no compromise justification (i.e. no
argument that CISA + budget bill would pass even though neither would pass
alone), correct?

~~~
tptacek
It's the end of the year and they're trying to get shit wrapped up. CISA and
PCNA weren't controversial except on message boards. They passed with
overwhelming support, positive media coverage, and the overt support of the
President.

~~~
jessriedel
Although I'm happy to admit that there was no major public pushback against
CISA because no one in the public cared, I'm not convinced that it had public
support or positive media coverage. I typed "CISA" into Google news, and these
were first articles and opinion pieces that came up on the _mainstream_ (not
tech-related) news sites. (I couldn't find any positive publicity at all.)

\--

Washington Times: "ISA cyber bill squeezed into omnibus spending plan |
Lawmakers have contentious cybersecurity legislation into an omnibus spending
plan..."

[http://www.washingtontimes.com/news/2015/dec/16/cisa-
cyber-b...](http://www.washingtontimes.com/news/2015/dec/16/cisa-cyber-bill-
squeezed-omnibus-spending-plan/)

Huffington Post: "Congress Ties Controversial Cybersecurity Bill To Key
Spending Package | And critics are not happy about it."

[http://www.huffingtonpost.com/entry/cisa-omnibus-spending-
bi...](http://www.huffingtonpost.com/entry/cisa-omnibus-spending-
bill_567176b7e4b0dfd4bcc00143)

The Guardian: "Congress just revived the surveillance state in the name of
'cybersecurity'"

[http://www.theguardian.com/commentisfree/2015/dec/16/congres...](http://www.theguardian.com/commentisfree/2015/dec/16/congress-
budget-omnibus-cisa-surveillance-cybersecurity)

CNN: "Congress, don't be fooled by cybersurveillance bill"

[http://www.cnn.com/2015/12/18/opinions/polis-
cybersecurity-l...](http://www.cnn.com/2015/12/18/opinions/polis-
cybersecurity-legislation-congress/)

International Business Times: "Controversial Cybersecurity Bill CISA Passes
House, Takes One Step Closer To Becoming Law"

[http://www.ibtimes.com/controversial-cybersecurity-bill-
cisa...](http://www.ibtimes.com/controversial-cybersecurity-bill-cisa-passes-
house-takes-one-step-closer-becoming-law-2232345)

Washington Times: "Lawmakers line up to complain about last-minute inclusion
of cyber bill CISA in omnibus"

[http://www.washingtontimes.com/news/2015/dec/17/lawmakers-
li...](http://www.washingtontimes.com/news/2015/dec/17/lawmakers-line-
complain-about-last-minute-inclusio/)

~~~
tptacek
All of these stories are just press hits for people like Amash and Wyden,
whose PR strategies involve courting Internet privacy supporters.

There's nothing at all wrong with that.

Certainly, even when I disagree with them, I'd rather read Wyden and Amash
talking points than hearing about why we should kill the families of ISIS
members. And I mostly agree with Wyden!

But it's just worth remembering that _no matter what had happened_ with CISA
and PCNA, there were always going to be these stories. You take press hits
when you can get them, and these were lay-up press hits.

The House and Senate bills passed with overwhelming support and significant
media coverage, and Obama backed the bill. Nobody is hiding.

------
egwynn
I believe that CISA is mostly about changes within the government itself about
sharing data between agencies. It seems to interface with the non-government
world insofar as it lets companies share their data with government agencies
without getting sued. I do NOT believe it contains any further provisions
_requiring_ private companies to share their data without a warrant. Can
someone tell me if I’m reading it correctly? Not saying I like it, but if it’s
not specifically requiring cooperation, then I guess there’s still some hope
left.

~~~
tptacek
You are reading it correctly. CISA explicitly establishes by statute that
private entities are never required to share data, but that the government
_is_ required to share with private entities.

~~~
dhimes
It also seems to be addressing, by "cybersecurity threats," the act of trying
to hack into information systems. The law seems to be paving the legal way for
facebook to work with google and ycombinator if there was a network attack by
<insert cyber bad-guys> in order to set up defensive measures against the
attack and perhaps share information as to who and where it is coming from.
Personal information _must_ be removed from such shared information, and if
not the insulted party must be notified.

Specific details of how to do this must be decided in the next 90 (or was it
180)days and compliance oversight reports are required regularly.

I'm a little embarrassed, but I must have missed the part where this makes
things worse. I'm being honest here: If I should be upset about this I need to
know why, please.

~~~
tptacek
There are reasons not to like CISA. I'm pretty irritated by it: I think
organizations like Fight For The Future organized a campaign against CISPA
based on a whole lot of FUD, and for their efforts got us a law that actually
justifies (a very little bit) of that FUD.

Unlike CISPA, CISA allows shared information to be used for law enforcement
purposes. Ideally, threat information shared with the government should be
used solely to improve defenses and prevent breaches; instead, anyone who
shares data now needs to be cognizant of the other uses to which it will be
put.

~~~
dhimes
Law enforcement outside of cyber security? OK, I _did_ miss that. Thanks.

~~~
tptacek
Law enforcement can use indicators to RESPOND TO, PREVENT or MITIGATE "an
imminent threat of death, serious bodily harm, or serious economic harm" (e.g.
almost anything), but can only use it to assist in the PROSECUTION of identity
theft, trade secret theft, or espionage.

(PCNA had broader language that enabled prosecutions of a variety of crimes
with indicator data).

Again, CISPA, the bill FFTF takes credit for killing, had none of this
language.

------
mixedmath
There have been very many versions of laws similar to CISA that have been
proposed, modified, and changed/passed/failed/delayed. When I try to
understand exactly what this CISA version includes, most rhetoric I read is
alarmist and not conducive to actually knowing what can and cannot be done
under CISA.

Is there a digestible explanation of what this CISA entails?

~~~
tptacek
Sure.

CISA defines "cybersecurity threats" and "threat indicators", which are now
legalese versions of the stuff Intrusion Detection Systems track: exploit
code, vulnerability information, and wire traces of attacks.

Everyone already collects this stuff; that's most of what network security
teams are paid to do. The government has several huge network security teams
(they operate the largest IT system in the world), and, of course, the whole
Fortune 500 does as well. All these organizations are collecting information
about attacks and siloing it.

CISA requires the government to establish a process to share indicators with
private companies. So when analysts or IPS systems or anomaly detection
schemes running inside FedGov networks generate a signature for an attack,
there will now be federal rules requiring them to submit that data to a
process that will disseminate it to the private sector.

CISA allows the private sector to do the same thing in reverse, sharing their
data with the government, which will in turn share a facsimile of that data
back out to the rest of the private sector. The bill requires companies to
have a process to ensure they aren't knowingly sharing any personally
identifying information, and they are only allowed to share information that
pertains to the types of attacks defined as "cybersecurity threats". Those
attacks specifically _exclude_ terms of service violations.

Unlike CISPA, which was a more benign bill, CISA explicitly allows local,
state, and federal law enforcement to use threat indicators to prosecute
crimes. CISA has a very short list of crimes whose prosecution can be assisted
with shared indicators --- identity theft, espionage, and trade secret theft.
PCNA, the (now dead) House version of CISA, had a broader list.

Unlike the law of the land before CISPA/CISA/PCNA was proposed, there is now a
path for private companies to share data with the USG regardless of the other
regulatory regimes they're under. This is good if you think sharing attack
information is very important and bad if you think companies that work with
regulated information (driving records, credit scores, medical data, student
records, &c) should operate under different, stricter rules than other
companies. Much of the impetus for these bills was to overcome objections from
legal at BigCos that would never allow any information sharing out of fear
that such sharing could get them sued. They are now immunized from those
suits, so long as they're in good faith sharing only information about actual
cybersecurity threats.

That's pretty much it, at a high level. It's a very short bill, just 30 pages,
and most of the interesting stuff is in the definitions at the top of the
bill. It's worth skimming.

[https://www.govtrack.us/congress/bills/114/s754/text](https://www.govtrack.us/congress/bills/114/s754/text)

~~~
j2kun
Is there a technical definition of "personally identifiable information"?
Would they be required to provide any guarantees on the properties of the
released data to ensure that when other data is shared there's no way to link
them?

~~~
ubernostrum
I don't know if there's a general-purpose one, but for medical data HIPAA has
had definitions and guidelines for PII for a long, long time.

The deeper problem is that any piece or amount of information can, in the
right circumstances, become personally-identifiable, and so the only
guaranteed-safe system would be to forbid collecting or sharing anything.
Which would necessarily result in literally turning off the internet.

~~~
j2kun
There is some degree of mathematical guarantee that one can provide, if one is
only releasing statistics and not individual records. The technique is called
"differential privacy" and it was invented in large part because of a few
high-profile data de-anonymization stunts, one of which was in the health
industry.

At the very least, this allows one to quantify the tradeoff of security and
specificity in what is released.

------
atomicbeanie
Since they're enjoying Star Wars while legislating, maybe Padme's quote is
apropos: "So this is how liberty dies. With thunderous applause."

~~~
PlzSnow
Cringe

------
x1024
Well, this whole Internet thing was nice while it lasted.

~~~
rubyfan
What's the alternative?

~~~
simonvc
End-to-End encryption... Which the UK govt is trying to ban.

~~~
robotkilla
Not sure why you single out the UK - fbi recently gave an anti-e2e speech.

------
jordanpg
A semi-serious proposal: why don't we just stop caring about this?

By "we", I mean those of us with the technological know-how to protect our own
privacy if desired.

I bring this up because laws like CISA are meant to deal with large-scale
collection of data for ostensibly well-meaning reasons from the vast majority
of internet users. Those vast majorities that aren't lurking on HN, who don't
know or care about the technical details of privacy beyond maybe vaguely
wanting it, who want the internet to work, fast, free, and easily.

It seems to me that with the vast law enforcement and intelligence agencies on
the one side and the even larger internet economy on the other, _there is no
serious getting in the way of whatever flow of information those two groups
agree on._ It doesn't matter what you, me, the EFF, or Edward Snowden think.
_There is far too much money at stake._ And the "privacy" threat, as we
discuss it here, is irrelevant to just about everyone.

Beyond implementing strong crypto with trusted software, for those who care
to, I don't see that there is anything to be done here. As Schneier pointed
out a few years ago, this ship sailed a long time ago:
[https://www.schneier.com/blog/archives/2013/03/our_internet_...](https://www.schneier.com/blog/archives/2013/03/our_internet_su.html)

------
joshmn
Al Franken (D-MN) voted against the original bill; he voted to pass the bill
that was signed into law here. He has a long history of fighting for privacy
and the internet. Having said, if he thinks this is OK, I probably don't need
to read it. (though, I did)

Original:
[https://www.techdirt.com/articles/20151022/10133932597/cisa-...](https://www.techdirt.com/articles/20151022/10133932597/cisa-
moves-forward-these-83-senators-just-voted-to-expand-surveillance.shtml)

Votes against the bill that was signed into law:
[https://www.govtrack.us/congress/votes/114-2015/s339](https://www.govtrack.us/congress/votes/114-2015/s339)

------
crb002
Rand should filibuster everything until a CISA removal bill is passed.

~~~
um_ya
If only Rand was a robot that didn't need to eat, sleep, or piss. :/

------
rmac
So is there room to build products to help facilitate the sharing of data as
mandated in CISA?

Is there a standard or format for how the government will expect this threat
data to be packaged? STIX / TAXII?

Startups; assemble!

~~~
soared
The most hated startup up in the world: "We disrupted the internet's privacy"

------
sschueller
How does CISA apply to US companies with subsidiaries in Europe like
Microsoft? Will Microsoft now be required to hand over data located in
datacenters abroad?

~~~
Vivtek
Not if they want to comply with existing European privacy law, which the
European courts have no problem at all interpreting in maximally draconian
form - up to and including forbidding access to the European market.

Even if the US government would attempt to force companies to do this, they
wouldn't. And as far as I can tell, this bill doesn't force companies to
comply, it just holds them harmless should they choose to comply.

~~~
wolfwyrd
Sadly not. The US courts have already ruled that data held in other data
centres are fair game for a US warrant [1]. In this case the data is held in
the EU (in Dublin, Ireland to be precise) and MS was found in contempt of
court for failing to hand the data over [2]. They're still fighting this case
now - over a year later - and it's currently in the 2nd Circuit Court of
Appeals [3].

This means that the precedent is already set. If the company operates in the
US and is served a warrant, the US Govt wants ALL of the data WHEREVER it's
held.

I'm rooting for MS on this one and hope their appeal is upheld.

[1] [http://www.theguardian.com/technology/2014/apr/29/us-
court-m...](http://www.theguardian.com/technology/2014/apr/29/us-court-
microsoft-personal-data-emails-irish-server)

[2] [http://www.zdnet.com/article/microsoft-refuses-to-hand-
over-...](http://www.zdnet.com/article/microsoft-refuses-to-hand-over-foreign-
data-held-in-contempt-of-court/)

[3] [http://www.techweekeurope.co.uk/e-regulation/microsoft-
resis...](http://www.techweekeurope.co.uk/e-regulation/microsoft-resist-email-
handover-176516)

~~~
ionised
The problem is that the EU recently ruled that it was illegal for US companies
to send data back to the US for any reason.

The US and EU obviously have two completely imcompatible rulings in play now.

------
ck2
By the way, I haven't heard CNN or NBC mention CISA once this week.

So apparently corporate media has no problem with CISA for some reason.

Since congress rarely write their own laws and let the industry write it for
them - who actually wrote CISA ? There's no way congress would know what to
ask for. Did the NSA write CISA?

~~~
merpnderp
Lobbyist don't do "back room deals" for the fun of it. They do it so that
there's no accountability. Democracy should have no secrets, and this is a
disgrace.

~~~
MicroBerto
What makes you think this is a democracy?

~~~
mindslight
What makes you think this isn't?

~~~
MicroBerto
The fact that it's not

~~~
mindslight
So, no true Scotsman?

~~~
MicroBerto
No, this is AMERICA

~~~
mindslight
Oh, I think I misinferred where you were coming from. From context, I had
thought you were advocating that we needed to _democracy harder_. On
reflection it seems more likely you're espousing the viewpoint that USG hasn't
been specified as a democracy, so people advocating to democracy harder are
asking for nonsense.

In some sense that would put us closer to agreement, but from my perspective
that viewpoint clings to a prescriptive model that is clearly irrelevant at
this time. Democracy has become our _national religion_ , and the mechanics of
how the celebrities obtain office isn't so important as the idea that no
action is off limits to the court of public opinion, adjudicated by the media.

------
transfire
I think the "big deal" about CISA is that it essentially gives the heads of
state the ability to say "cybersecurity threat indicator" and by so doing
collect any information or spy on any system they wish without warrant or any
other form of informed oversight.

------
imaginenore
Well, more encryption should be our response. It will backfire in ways they
didn't even consider.

------
transfire
My favorite clause...

"(e) Prohibited conduct -- Nothing in this title shall be construed to permit
price-fixing, allocating a market between competitors, monopolizing or
attempting to monopolize a market, boycotting, or exchanges of price or cost
information, customer lists, or information regarding future competitive
planning."

Does this imply it could have been construed that way without this clause?

------
rayalez
I don't get it, can somebody explain this to me, why does this stuff happen in
democracy?

How can public fight government for years and lose?

How is it possible to pass a law in US that is clearly against everyone's
will? I mean for all I know, most of the people are strongly against it,
except for a few polititians, nobody wants this to happen, so how is that even
a discussion?

~~~
robotkilla
> why does this stuff happen in democracy

because democracy only works when people actually care. most us citizens are
more concerned about the superbowl than government.

> How is it possible to pass a law in US that is clearly against everyone's
> will?

Who is everyone? Again - most people don't give a shit.

------
tosseraccount
The debt to GDP ratio keeps rising: [http://www.tradingeconomics.com/united-
states/government-deb...](http://www.tradingeconomics.com/united-
states/government-debt-to-gdp)

The day of reckoning is coming.

~~~
laotzu
Money is debt by design, and GDP and money creation are positively correlated
on purpose. I'm not sure what you're trying to point out here.

------
rplst8
The article doesn't mention CISA. If it did, they changed it.

~~~
twoodfin
Yeah. I think the modified title used by the OP is effectively editorializing.

------
clientbiller
Anyone know how to find out who wrote the bill?

