I think the complaint that there is no real recourse if a company chooses to share information that does not fit the definition- as the bill grants immunity for such actions and there is no way for an individual to know the information was shared (in order to sue the Fed within the 2 year time frame required) is valid. So one improvement would be to remove the immunity clause. (Or something similar to Rep. Justin Amash's proposed amendment)
When Quest refused to participate in the Fed's illegal spying program, they punished them by moving a large contract from the company. I read nothing in skimming the bill that would prevent the Feds from pulling a similar stunt, promising immunity under CISPA as the carrot, while threatening them with a stick (money) like they did to Quest.
Another possible improvement would be to expand the mission of US-CERT, to make them the point of contact for all information sharing, require them to validate it is cybersecurity related, and then they become the clearing house and the single accountable agency within the US Government for all CISPA related data. (There may be another agency more suitable than USCERT, but I use them as an example.)
There have been several amendments proposed to improve the privacy protections in CISPA, but they have been blocked- and thus we are left to ask why? If it is all good intentions, why block the proposed protections that help ensure that good intentions don't go awry?
You have three concerns:
1. That even though the bill tries to specify what kinds of information can be shared under CISPA, the penalties for "over-sharing" with the USG are very fuzzy (you are immunized not just for sharing to the letter of the bill, but also for "good faith" sharing).
2. That the bill does not prevent the USG from retaliating for failing to cooperate with efforts outside the scope of the bill.
3. That the bill could build up US-CERT instead of diffusing authority (and potential conflicts of interest) through DOJ, DOD, and DNI.
I agree with the 1st, but not the 2nd or the 3rd concern. In particular: your 2nd concern militates for another bill, not an amendment to CISPA.
This DIB Enhanced Cybersecurity Service is being handled by the defense contractors who donate to Mike Rogers:
8. General Dynamics
9. SAIC Inc
9. Lockheed Martin
9. Northrop Grumman
19. BAE Systems
Their letters of support for CISPA, referencing the DIB program, are on the Senate website:
I write to you on behalf of the National Defense Industrial Association (NDIA) to express our support for The Cyber Intelligence Sharing and Protection Act of 2011 (HR 3523). ... As you are aware, NDIA is a non-profit organization, and is America's leading Defense Industry association, ... Our members represent the entire spectrum of the Defense Industrial Base (DIB). ... To illustrate, some NDIA members have participated in the Department of Defense's DIB Pilot program...
The bill also gives businesses certainty that cybersecurity information shared with the government would be provided safe harbor and would not lead to frivolous lawsuits, among other protections.
"I am please to write to you to express CSC's wholehearted endorsement of the "Cyber Intelligence Sharing and Protection Act of 2011" which you released today and which requires the Director of National Intelligence to establish a program allowing certified organizations to use classified cyber signatures to help protect their IT enterprises...
As you know, CSC was the first IT enterprise company invited to join the defense industrial base pilot program (DIB)...
This program was quietly started around 2011:
NSA allies with Internet carriers to thwart cyber attacks against defense firms
The National Security Agency is working with Internet service providers to deploy a new generation of tools to scan e-mail and other digital traffic with the goal of thwarting cyberattacks against defense firms by foreign adversaries...
The Internet carriers are AT&T, Verizon and CenturyLink. Together they are seeking to filter the traffic of 15 defense contractors, including Lockheed, CSC, SAIC and Northrop Grumman.
There is at least $6B waiting to go to the defense contractors to help the NSA. (They're already working with the NSA on the big Utah datacenter):
Northrop, SAIC, ManTech among those to bid for DHS' $6B cyber program
Northrop Grumman Corp., ManTech International Corp. and SAIC all confirmed to me their plans to bid as a prime contractor for DHS' Continuous Monitoring as a Service program, which will be worth up to $6 billion over five years
1. John Poindexter + SAIC + TIA Program = $200 million turd.
2. ADVISE (DHS ) $47 million turd
3. Trailblazer (NSA) $280 million fiasco + turd
4 Turbulance $500 million /year as of yet to be disclosed but very likely turd.
Why am I annoyed that everybody behind CISPA is participating in a charade, when we could just cut to the point and debate the merits and concerns regarding the project motivating it?
Why am I annoyed that we don't get a voice in this, and the companies receiving the billion dollar contracts for this specific bill, who also fund the politicians putting it through, do?
Why am I annoyed that attempts were made to amend the bill to actually almost fit what you're claiming it is for, by protecting customer payload data, and they were shot down?
I am confused about why you aren't. I feel like you've been stuck in anti-rageview mode when it was first said that this was about copyright issues, and you over-committed to that position, and that you normally wouldn't support this.
Tasers were passed as an alternative to shooting a suspect, now they're used routinely for detainment. The various terrorism laws are now being used clearly outside the scope of terrorism (hackers, drugs, etc). The DMCA is being all kinds of abused outside its scope.
This is what we're rightly-concerned about.
Edited to add: The NSA, in cooperation with the DHS, has been running the pilot program related to this for several years. AT&T, the largest non-defense contractor throwing money at this, is helping them. There are billions in government contracts and quasi-regulatory-capture (note the language about certified cyber security providers) waiting to change hands over this. Then everybody can share with the NSA, customers lose all rights, and don't even know its happening. This is a legalized version of the warrantless wiretapping scandal.
You're right that it's not a dichotomy; I'll try not to portray it as one (as much --- the failure of CISPA does set the Democrats up for another bite at the apple on their proposed regs, which are OMG worse).
Let me guess... "Terrorism."
For example, right now due to the lack of clear regulations concerning digital storage, a lot of law enforcement agencies believe that they can legally access people's personal email without a warrant. This should be corrected with a clear law that says you need a warrant, since the 4th amendment's talk of being secure in "papers" is too vague.
There's good regulation and bad regulation. "Less regulation" is a good sound byte, not a good strategy.
This is just scaremongering combined with a deliberate abuse of power on order to trick a compliant public into even more repressive laws.
This is not about less or more regulation, this is about burying new regulation removing people's rights hidden unnecessary fake regulation.
Useful new regulation regarding the internet is very, very rare. 99% of it is a cover for something else.
And of course the biggest giveaway is that internet should have lead to less regulation, because all kinds of physical restrictions no longer apply or are impossible to enforce. But we don't see proposals for that, now do we?
CISPA has no intention of stopping this. Quite the opposite really. The vague wording and hush hush push to get this passed gives rise to the idea that CISPA is a tool to force more of this kind of behavior not stop it.
>The Internet absolutely does need more regulation
Really? That's a scary thought.
In the general case, I really wish we could agree to not try to argue factual or legal matters according to vague notions of "common sense." I feel like a lot of these types of discussions on HN quickly devolve into one person stating a fact, and the other person saying "that doesn't seem right." Lots of things that are factually true don't match your or my conceptions of how the world should work.
It is not reasonable to run a security response group that needs to get a court order every time an incident occurs.
Google hands over email addresses based on court orders and
(less frequently) warrants.
 http://www.google.com/transparencyreport/userdatarequests/ -- it should be noted that Google complies with the requests a majority of times. Also, it is reasonable to assume that it is mostly American gov't agencies who make up for most of the requests.
Even if you think it is, you're not addressing the concern, which is that regardless of what the situation is with user data, it is difficult for private companies to share operational intel with the USG, and even more difficult for the USG to share operational intel out.
If the USG thinks John Doe is a criminal, they can go after his data via various avenues, including warrants, subpoenas, NSLs, blah blah. This is one situation.
A separate situation is that Google thinks there is crime afoot, and wants to report it, but they cannot meaningfully give any information to law enforcement because of privacy laws.
It's like if your business got burgled, and you let the cops into your business to collect evidence, and while doing their job there they find out that John Doe is one of your customers, and that he visited your shop on July 9th, or something, and now you committed a crime for letting the cops know about John Doe.
I'm not saying CISPA is a good idea or a bad idea. (And I think various people have raised some legitimate concerns.) I'm saying that you should try to understand what it's permitting; it's not giving the USG new abilities to force their way in to read user data, it's giving victims of crime permission to take certain actions to fight crime. (Maybe we shouldn't give them those permissions, though.)
And by the way, it might be reasonable to make assumptions about how many of those transparencyreport requests are USG agencies... EXCEPT that the same *@$% page you linked has actual numbers, that prove your assumption wrong. In the most recent 6-month reporting period, 21,389 total requests, 8,438 of them (40%) from the USG.
This is one of those places where I'd suggest you want to be careful what you wish for. Here's why:
If we can generally agree that there is a kind of operational network security data that should reasonably be shareable --- say, Netflow records corresponding to a DDoS in progress --- and that data is routinely generated, then requiring a court order to share it routinizes the court order process.
When you make a routine out of what was intended to be an exception, it stops being an exception. A court order is a demand from the state that someone do things. We probably want court orders to be on the "right" side of the base rate fallacy.
Did you read the definition of cyber threat information in the bill? It's here: http://intelligence.house.gov/hr-624-bill-and-amendments
If so, I'd be interested in your ideas for improving the definition.
Thank you for the thoughtful comment.
The issue is that there aren't. You can't argue that we should pass this bill because you believe some different bill would be less problematic. Get the Senate to insert an amendment with whatever language you're talking about and show a page on eff.org explaining how the amendment addresses all of their concerns, then you can make that argument.
The other issue is that the exemption encompasses not only information sharing, but any "good faith" action taken based on the information. I understand what they're going for there. If some law prohibits sharing information, it probably prohibits use too, which would get in the way of what they're trying to do. The problem is, again, that they're not talking about specific laws. So if they respond to the information by hiring Blackwater to raid what they believe to be the attacker's home, no liability? That's not OK.
The CIA and FBI need to be able to research and distribute malware. The government needs to have a way to do something in cyber warefare scenarios. This is why the bill has so many supporters.
My guess is that big businesses are supporting this(Google) due to them having been bit by state sponsored attacks in the past(http://world.time.com/2012/06/06/google-warns-gmail-users-of...).
Can you elaborate on why that is?
"Something must be done" is the refrain of private defense contractors seeking new revenue streams following the tapering off of our most recent foreign excursions. "Cyber war" is total B.S. It's just taking the same industrial espionage issues that have existed forever and adding "on a computer" to it in order to increase the hype level.
There are a ton of things the government could actually do to help with information security. Some of them are even in the bill -- I don't think anyone has a problem with government providing threat information to the private sector. Or how about more funding for security research. Incentives to implement protocols like DNSSEC.
But there is no excuse for exempting corporations from all privacy laws using extremely vague language. The problem with this bill is very much the implementation rather than the intent, but "good intentions" are no justification for bad legislation.
TechDirt points out a key Congressman's wife is in security contracting, an industry very interested in the outcome of this bill:
... as we've noted all along, all attempts at cybersecurity legislation have always been about money. Mainly, money to big defense contractors aiming to provide the government with lots of very expensive "solutions" to the cybersecurity "problem" -- a problem that still has not been adequately defined beyond fake scare stories. Just last month, Rogers accidentally tweeted (and then deleted) a story about how CISPA supporters, like himself, had received 15 times more money from pro-CISPA group that the opposition had received from anti-CISPA groups.
So it seems rather interesting to note that Rogers' wife, Kristi Clemens Rogers, was, until recently, the president and CEO of Aegis LLC a "security" defense contractor company, whom she helped to secure a $10 billion (with a b) contract with the State Department. The company describes itself as "a leading private security company, provides government and corporate clients with a full spectrum of intelligence-led, culturally-sensitive security solutions to operational and development challenges around the world."
Hmm. Sounds like a company like that would benefit greatly to seeing a big ramp up in cybersecurity FUD around the globe, and, with it, big budgets by various government agencies to spend on such things.
Of course, now it's up to the Senate.
I'll give you that DNSSEC is imperfectly designed, but given that it hasn't been widely deployed, why not just make DNSSECv2 which addresses the concerns (like have the end user device verify the signature)?
So the problems with DNSSEC then boil down to:
* TLS isn't designed to depend on the security of the DNS. How you know that is, TLS works today, and nobody uses DNSSEC. So if everything needs TLS anyways, why forklift in a new DNS when we could instead work on making TLS better?
* DNSSEC actually degrades the DNS. In a couple ways. First, DNSSEC changes the security model of DNS records; they're now signed, but also they're public. For a long time, DNSSEC advocates claims that DNS records were always public, but that's clearly not true; try to dump Bank of America's zone files. When the advocates lost the argument, they introduced a grotesque hack that turned DNS zones into crackable password files (this is "NSEC3"). That's just one example; there are better examples.
There is a proposed alternative to DNSSEC that I like: DNSCurve. DNSCurve gives up on the idea of signing DNS records and instead just allows any DNS client to create a secure connection to any DNS server. That's a totally sane improvement to the DNS which inexplicably isn't included in DNSSEC (your DNS lookups in a DNSSEC world are still unprotected!). We should do that instead of DNSSEC.
For one thing, not everything uses TLS (even if it should). TLS normally requires support by the application, securing DNS could be done in the OS. You could fix DNS and have at least that fixed even for all the legacy applications that nobody is ever going to update to use TLS. It would also make IPSec easier to deploy to the same effect because it would allow the DNS to be used for key distribution. And likewise for distributing ssh host keys.
I'll give you that DNSSEC is poorly designed, but I don't necessarily want "DNSSEC" in particular, I'm just looking for something that allows client devices to securely verify DNS query responses. Does DNSCurve do that? The Wikipedia entry doesn't clearly distinguish whether it's securing the connection to the server or the query response. In other words, does DNSCurve allow you to detect if your ISP's DNS resolver is compromised?
Personally, I would happy to see less power given to law enforcement agencies. Maybe a quid pro quo: we let them access communications more easily if they stop using soldiers to do police work.
"that whole issue of having the ability to do something about cyberterrorism"
Something like this?
Do you really think we need another E911 document prosecution in this country?
"The CIA and FBI need to be able to research and distribute malware"
They already do that. What does CISPA add?
I mean... The things they want to do are comparable with monitoring all phone calls. Listening to all phone calls and trying to catch dangerous words in the conversations. Why nobody tried to do this with phone calls, but now they try to do this with on-line messaging and social networks?
All CISPA is, is the next logical progression of the totalitarian state. It harks back to the Patriot Act. There was an event of terror. Therefore there must be "terrorists" out there and we really need protection from them. So much so that we are willing to surrender our rights to a fair trial.
CISPA is the same thing. It focuses on one instance, or issue and abstracts peoples actions away from that to make it seem like something they'll never have to deal with. Case in point, no one thinks that they'll be detained and held without trial, but that still doesn't mean the government can't do that.
Check YouTube's transcriptions. They suck.
The question is if we need it, and if it won't be abused?
I think we were doing pretty fine without monitoring phone calls, so why do we want to monitor on-line services? Because it's simpler is not a good answer.
I realize that the author probably meant that Ohanian would have connections who might have connections who would have Larry Page's phone number, but the wording of that briefly made me think that the author thought there was some secret phone book you get when you cash out your popular startup for a certain amount.