Skip to main content

A decade after the September 11 attacks, Congress still hasn't effectively addressed cybersecurity, an oversight they seem determined to correct in this election year. Thus Thursday's rushed passage of the deeply flawed Cyber Information Sharing and Protection Act (CISPA) in the House of Representatives.

It's become the norm for how this nation's government has responded to a new paradigm of national security: ineffectively, with an emphasis on distrust of the citizenry, and heavy-handed, broad stroke measures that do more to restrict civil liberties than to effectively combat national security threats. Not every measure taken reaches the pointless, infuriating, bankrupting destruction of a needless war on a country that posed no threat to us, but most have been about as pointless. Warrantless data collection sucks up trillions of pieces of innocuous data from all of our lives, more data than can be effectively sifted through, more data than is conceivably necessary to protect us from ourselves.

CISPA is the next assault. Couched as a program to protect the country's critical infrastructure (banking systems, electrical grids, water systems, communications networks, transportation facilities), the bill passed by the House absolutely fails to do that, because Republicans steadfastly refuse to make those industries protect themselves. That would be "job-killing" regulation, they say. But, hey, why make your corporate friends contribute to their own protection when you can take more civil liberties away from an uncomplaining public and call the job done?

That's what the House-passed cybersecurity bill does. To recap:

  • It is incredibly broadly written to give the government access to anyone's personal information, and for private entities to share that information. An amendment passed Thursday that was couched as an improvement in narrowing the bill actually broadened it. What had been far too loosely lumped as ill-defined "cybersecurity or national security purposes" now says "1) cybersecurity; 2) investigation and prosecution of cybersecurity crimes; 3) protection of individuals from the danger of death or physical injury; 4) protection of minors from physical or psychological harm; and 5) protection of the national security of the United States." Note that "cybersecurity" and "national security" are not defined or limited in any way.

    Cybersecurity should mean protecting networks and systems from hacking, malicious code-like viruses and Trojan horses, denial of service attacks and other disruptions. Now we have bodily harm and child exploitation in what is supposed to be a technology bill. Which means it gives the government huge leeway to collect data on citizens—unrelated to cybersecurity—with no regard to the laws in place to protect privacy. That's because:

  • CISAP supersedes all other provisions of the law protecting privacy. That quote up there in the image at the top of this post, that's directly from the legislation: "notwithstanding any other provision of law." So the government can start building a case against you for a completely non-cybersecurity related purpose and you have no privacy protections. That information (private emails, browsing history, health care records, or any other information) can be collected by private companies if they think it might be helpful in dealing with a "cyber threat," or even a not "cyber" threat—a threat of bodily harm or child exploitation.
  • If a company ends up collecting your information outside of this law (the outward bounds of which are pretty impossible to determine at this point), they have complete civil and criminal blanket immunity built in. They have no incentive not to share everyone's private information, potential threat or no.
  • Not only can you not sue, you can't find out what has been collected about you because the bill completely exempts itself from the Freedom of Information Act.

Those are just a few of the issues, for a bill that does what companies can already do, but under the restriction of privacy laws. Tim Lee points out that "network administrators and security researchers at private firms have shared threat information with one another for decades." He also warns:
 

Theoretically, private companies are free to refuse to share any new information with the government. But the government has a variety of carrots and sticks it can use to induce private firms to share information it wants. Many large companies receive government subsidies, and many also have business before executive branch agencies. So when a future administration asks a private firm to "voluntarily" hand over its customers' private data, it may not be in a position to say no.

That's what passed the House, under the threat of veto from the White House. Now it's on to the Senate, where Sens. Joe Lieberman (I-CT) and Susan Collins (R-ME) have introduced S. 2015, The Cybersecurity Act of 2012 and Sen. John McCain (R-AZ) has the competing S. 1251, The SECURE IT Act of 2012.

Neither of them is good, and both, again, override every existing privacy law, trumping them in the name of poorly defined national security. The McCain bill is worse, structured like CISPA, requiring no regulations for industry to step up its own security, and giving intelligence agencies access to mountains of private data from citizens. But the McCain bill is unlikely to move forward, as Senate leadership, and the White House, back the Lieberman Cybersecurity bill.

Lieberman's Cybersecurity Act gets higher marks from security experts because it, remarkably, actually sets security standards for some companies—those which "would cause mass death" or "major damage to the economy, national security, or daily life" if attacked. But those experts see loopholes in that it leaves out information-technology industry and Internet service providers. That, from a privacy standpoint, is far preferable to the overreach of CISPA.

Lieberman's bill also provides some more privacy protections, requiring that companies sharing cyber threat information make "reasonable efforts" to remove from the information they share personally identifiable information unrelated to the cybersecurity threat. But it still goes too far. The Center for Democracy and Technology note that both bills:

have broadly written provisions that would authorize ISPs and other companies to:
(i)  share private communications with the National Security Agency and other federal entities, or with any other agency of the federal government designated by the Department of Homeland Security;
(ii)  monitor private communications passing over their networks; and
(iii)  employ countermeasures against Internet traffic.

The new authorities would trump existing privacy laws.

Existing privacy laws have been compromised enough. Now the very real threat exists that they will be made completely moot by overly broad legislation that gives the government largely unfettered access to our most private—and irrelevant to national security—information. Like CISPA, the Lieberman Cybyersecurity Act is far too broad, far too vague and far too dangerous to civil liberties.

There is an alternative: narrow fixes to existing statutes. For example, Jim Dempsey of the Center for Democracy and Technology points out that Congress could "update wiretapping law to make it clear that service providers are allowed to share information about attacks with one another." Those companies, as already mentioned, can already share that information with government. We don't need a new law to achieve either of those goals.

Congress could also set industry standards for a more defensively oriented strategy championed by EFF. Instead of going on offense and turning on the citizenry, further restricting our rights, they could focus on the actual technology and secure U.S. critical infrastructure networks. "Fundamentally," they say, "it's very simple: fewer software vulnerabilities means more security."

Focusing on actual security, and ending the continuing encroachment of our Fourth Amendment protections, should be the direction this nation finally takes, a decade after September 11.

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  leave it to the repug house (7+ / 0-)

    to attempt to destroy the internet industry, one of few industries in the world where the U.S. actually leads.  

    So of course now, as internet industry standards progress in the U.S. via the entrepreneurial spirit so championed by the repugs themselves, it has to be up to the stoopid hypocritical repug house to kill the very goose that lays to golden egg.  Probably because of too much accurate information out on the web that the creepublicans can't control for their own propaganda means.
     

  •  Really appreciate this analysis. Wonder what other (4+ / 0-)
    Recommended by:
    sb, ferment, mcmom, ardyess

    than a veto threat, has the Obama Admin has provided in terms of guidance?
    Alec Ross, a senior adviser for innovation to Hillary Clinton,ary Clinton, reiterated the administration's opposition to the proposals in more explicit language than previous statements from officials.

    "The Obama administration opposes Cispa," he told the Guardian. "The president has called for comprehensive cybersecurity legislation. There is absolutely a need for comprehensive cybersecurity legislation.

    "[But] part of what has been communicated to congressional committees is that we want legislation to come with necessary protections for individuals."

  •  specific connection: 9/11 and cybersecurity? (2+ / 0-)
    Recommended by:
    sb, atana

    What is the intimate connection between internet privacy and the 9/11 terror attack?   Is there a proper understanding that sifting all email would've provided any greater information for a warning than tapping all phone communications, for example?

    When an article ledes with:  "A decade after the September 11 attacks, Congress still hasn't effectively addressed cybersecurity," then at the very least making this connection should be made explicit as to how how an ISP handing over all its traffic to the FBI would've likely alerted us (even moreso) to such an imminent threat.

    •  Maybe If They'd Read Everybody's EMail... (4+ / 0-)
      Recommended by:
      magnetics, sb, mcmom, maryabein

      ...they would have found out that bin Laden was determined to attack inside the US... oh, wait, never mind....

      On the Internet, nobody knows if you're a dog... but everybody knows if you're a jackass.

      by stevemb on Sun Apr 29, 2012 at 12:16:20 PM PDT

      [ Parent ]

    •  Protecting critical infrastructure (1+ / 0-)
      Recommended by:
      mcmom

      transportation and water system, electrical grids, the financial systems. All those electronic and Internet systems that keep the country running.

      And, yeah, that doesn't seem to have a lot to do with sharing any and all of our medical records or book purchases.

      "There’s class warfare, all right, but it’s my class, the rich class, that’s making war, and we’re winning." —Warren Buffett

      by Joan McCarter on Sun Apr 29, 2012 at 01:01:19 PM PDT

      [ Parent ]

  •  Richard Clarke nailed it (5+ / 0-)

    He had a fascinating interview in the most recent Smithsonian of all places.  We launched a cyberwar with Iran with Stuxnet and it has gotten loose.  The dumbfucks that planned it assumed they had accounted for all scenarios.

    I am an IT Architect with nearly 30 years experience and I will be surprised if our electronic financial transaction system has not been effectively destroyed by a cyberattack.

    The banks are just like the airlines were before 9/11.

    -9.00, -5.85
    If only stupidity were painful...

    by Wintermute on Sun Apr 29, 2012 at 12:13:31 PM PDT

    •  destroyed by the end of the decade... (2+ / 0-)
      Recommended by:
      magnetics, Joan McCarter

      Missed that predicate... ;-)

      -9.00, -5.85
      If only stupidity were painful...

      by Wintermute on Sun Apr 29, 2012 at 12:16:11 PM PDT

      [ Parent ]

    •  I've seen a couple of other (1+ / 0-)
      Recommended by:
      justintime

      interviews he's done.

      Of course the banking system is going to be attacked eventually, and what the House passed would do almost nothing to prevent the attack or minimize the damage. The Lieberman bill seems like it would be a little better, but not worth the trade-offs.

      "There’s class warfare, all right, but it’s my class, the rich class, that’s making war, and we’re winning." —Warren Buffett

      by Joan McCarter on Sun Apr 29, 2012 at 01:09:21 PM PDT

      [ Parent ]

    •  but no one is listening (2+ / 0-)
      Recommended by:
      Gottlieb, papercut

      Like Wintermute, I've been in IT (identity security) for almost 20 years, and find the ignorance, laziness and outright recklessness of both private and public institutions in their failure to adopt reasonable defensive measures absolutely stunning. The real problem is that the entire "stack", as we call it, is unbelievably vulnerable -- from the physical network, up through the software infrastructure (the Domain Name System, DNS), to the web servers and finally end-user applications like web browsers. Under pressure from business and government buyers, the people who market these pieces have made design compromises for "user convenience", and those who maintain them are hamstrung by the same "deciders". The military, along with their multitude of contractors, comes up with an electronic version of MAD (Mutually Assured Destruction) as the "cure", because the morons who write the checks are always looking for the easy way out and there's gobs of taxpayer money that can be spent on it.

  •  Wow! If the WH backs the Lieberman bill.... (4+ / 0-)
    Recommended by:
    ukit, sb, ferment, LeftOverAmerica

    we are still completely sold out.

    The hungry judges soon the sentence sign, And wretches hang, that jurymen may dine.

    by magnetics on Sun Apr 29, 2012 at 12:26:36 PM PDT

  •  Citizen-level solutions are necessary (6+ / 0-)

    as a component. By that I mean countermeasures like the use of public-key encryption. Unfortunately, people seem willing to compromise privacy if it takes any effort whatsoever to promote it.

  •  Does this mean... (1+ / 0-)
    Recommended by:
    Joan McCarter

    ...that getting on a plane will ultimately be run through a copy of the same databases that determines credit approval?  I mean, I know that is there already, but this seems like it could all glue together, the coroporate and governmental definition of "bad person"...

    ...j'ai découvert que tout le malheur des hommes vient d'une seule chose, qui est de ne savoir pas demeurer en repos dans une chambre.

    by jessical on Sun Apr 29, 2012 at 12:55:34 PM PDT

    •  No (1+ / 0-)
      Recommended by:
      jessical

      Probably not. There's really not talk of shared databases and systems, but information. That same information, I suppose, could end up in disparate databases, but I don't see one system overall.

      "There’s class warfare, all right, but it’s my class, the rich class, that’s making war, and we’re winning." —Warren Buffett

      by Joan McCarter on Sun Apr 29, 2012 at 01:04:44 PM PDT

      [ Parent ]

  •  I wonder how likely it is anything gets passed (0+ / 0-)

    considering the differing approaches of CISPA and the Lieberman bill. Maybe Congressional gridlock is the civil liberties advocate's best friend in this case.

    The Lieberman bill imposes regulations on businesses to ensure their own cyber security - and of course, ANY additional regulation or cost to business is going to be opposed by Republicans.

    Unlike SOPA, there's a real difference of approach here, which combined with public opposition, could derail these bills.

  •  Thanks for the care and time expended (0+ / 0-)

    in this article. It is not "sexy" enough to make the MSM, evidently, as videos of cute pets and little kids do more for their ratings. God help us all!

    I think, therefore I am. I think.

    by mcmom on Sun Apr 29, 2012 at 01:28:52 PM PDT

  •  Congress is a afraid of the Internet (1+ / 0-)
    Recommended by:
    papercut

    Congress works for the 0.01%, who haven't been able to figure out how to control all the messages in the Internet. They would be happiest if the Internet consisted solely of retailer pages for Target and Macy's. Those they would probably allow.

    But what's with all this information stuff? What is that? Couldn't some of our information get out on the Internet? Like that Bradley Manning guy?

    Gotta put a stop to that. Kill the thing off.

    Women are the only oppressed group not allowed to name their oppressors.

    by atana on Sun Apr 29, 2012 at 01:35:31 PM PDT

  •  Once again, context removes the distortion (0+ / 0-)

    when someone takes one provision out of context and claims that it allows unlimited government intrusion and spying on private citizens.

    This one provision is nested withing other provisions and conditions where it is applicable. Nobody seems to care about understanding the definitions and conditions that are written into this bill.

    It's not to say that this bill isn't a lousy one; it is. But it is very specific and makes it clear that this one provision does not permit unlimited government spying on citizens in any way, shape, or form.

    Yes, the Freedom Foundation and the ACLU have valid complaints about the ambiguity found throughout this bill. The definitions are vague and the conditions aren't clearly stated. The personal privacy provisions aren't stated clearly and it's leaves some questions about where these protections apply. The last-minute amendments tell me that even the sponsors of the bill don't understand what it's about.

    Yes, it should be dumped in the Senate and vetoed if necessary. The bill has raised concerns that simply aren't there. Whatever its intent, they got it all screwed up.

    The first misinterpretation is found up front where the conditions of this bill are spelled out. The provisions don't even kick in unless there's a real cyber-crime involvement. This determination requires a warrant, although this isn't specifically spelled out in the bill. Another trigger is a declaration of a national cyber-emergency by the president. Unless these conditions are met, nothing else in this bill applies.

    The second big misinterpretation is the vague definition of what constitutes a cyber-security provider. I read the definition to mean the public and private experts in this field. On a simple scale, think of Symantec or Mcafee and the like. Only on a much more sophisticated scale using highly advanced technology. The military cyber-security units, computer science experts, and specialized contractors are parts of the cyber-security team. The bill specifically excludes private citizens from this group. The bill also requires that the saharing of personal information is prohibited.

    Sharing the private information between the various cyber-security experts is not the same thing as sharing personal information. The former allows the sharing of private and proprietary technologies for detecting and responding to real evidence of cyber-security attacks on businesses or government agencies that requires probable cause and a court-issued warrant.

    Again, even under these conditions, the sharing of personal information is prohibited.

    Also, any proprietary and private information shared between cyber-security provider organization cannot be used for competitive advantage or marketing purposes and such. How the hell they would detect or enforce this isn't addressed. I don't think it's enforcable.

    I can't figure out why this bill was ever written in the first place. All of these things are allowed under current law. Privacy laws also apply. I can come up wit a couple of thoughts. One is that this is a way for the private cyber-security businesses to extort money from the feds without the need to bother with security clearances and such. Another thought is that this is merely a Republican plan to try to paint Obama into a corner. Obama vetoed a bill that protects out children from nasties on the vast network of tubes, for example. The bill doesn't do this, of course, but it is time to pull out all of the political traps.

    Whatever way you want to misinterpret the vague language in this bill is perfectly acceptable with me. Just don't bother with the ad homs and insults this time. Mmmkay?

    "All people are born alike - except Republicans and Democrats" - Groucho Marx

    by GrumpyOldGeek on Sun Apr 29, 2012 at 01:41:44 PM PDT

    •  Did you not see the part about "notwithstanding (1+ / 0-)
      Recommended by:
      LeftOverAmerica

      any other law"?  Also, where does it say that a warrant is required and that the sharing of private information is prohibited?  Remember, when the DMCA was passed people like you swore up and down like crazy that it would never be used against third party toner and printer ink cartridge manufacturers but it was.  If you seriously think ISPs won't hire a "cybersecurity provider" to capture every link visited, every email sent, every website post you make, etc and send it off to god knows where in the name of "preventing bodily harm" or "preventing the theft of intellectual property" then you are naive.  Especially the "preventing the theft of intellectual property".  After all, wouldn't detecting/blocking the posting a link to a copyrighted TV show on Youtube or posting a link to a torrent of the latest Microsoft Office fall under "preventing the theft of intellectual property"?  Also,  you can bet your ass that the RIAA/MPAA will sue any ISP that doesn't monitor everything for contributory infringement once this law is passed.

      There is no saving throw against stupid.

      by Throw The Bums Out on Sun Apr 29, 2012 at 02:29:44 PM PDT

      [ Parent ]

      •  I'll ignore the insulting parts of your commentary (0+ / 0-)

        It isn't appreciated nor helpful.

        I'll repeat the fact that I am strongly against this bill. It's crap.Maybe you missed that fact.

        My comment has two parts. The first is about the one sentence big and bold out of context quote. This is a gross distortion of this bill.  Out of context, it isn't a valid law. Yes, I understand the "notwithstanding" clause. Apparently, many others don't.

        Secondly, the bill is supposed to be about cyber-security providers and nearly everyone seems to think that this is some kind of secret code that permits unrestricted spying and data gathering for everything that passes through the Internet. This seems to be easy to misinterpret if one assumes that English language meanings of the words apply here. This is probably the cause of most of the misinterpretation. The terms are used often in government security documents. I know. I've dealt with the requirements for decades. I've been through and led a boatload of government and private security audits over a few decades.

        I understand what they're trying to do in this bill. I also understand other laws that apply and the details of those requirements.

        Saying that I'm naive or that I don't understand this stuff or that I'm trying to justify this crappy law is just being dickish™.

        But you asked some specific questions:

        The bill permits sharing of technical cyber security details.

        sharing of certain cyber threat intelligence
        and cyber threat information between the intelligence
        community and cybersecurity entities
        It is very specific about what is and isn't permitted for use by government agencies.
           (c) Federal Government Use of Information-

                `(1) LIMITATION- The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)--

                    `(A) for cybersecurity purposes;

                    `(B) for the investigation and prosecution of cybersecurity crimes;

                    `(C) for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm;

                    `(D) for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of such minor, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in 2258A(a)(2) of title 18, United States Code; or

                    `(E) to protect the national security of the United States.

                `(2) AFFIRMATIVE SEARCH RESTRICTION- The Federal Government may not affirmatively search cyber threat information shared with the Federal Government under subsection (b) for a purpose other than a purpose referred to in paragraph (1)(B).

                `(3) ANTI-TASKING RESTRICTION- Nothing in this section shall be construed to permit the Federal Government to--

                    `(A) require a private-sector entity to share information with the Federal Government; or

                    `(B) condition the sharing of cyber threat intelligence with a private-sector entity on the provision of cyber threat information to the Federal Government.

                `(4) PROTECTION OF SENSITIVE PERSONAL DOCUMENTS- The Federal Government may not use the following information, containing information that identifies a person, shared with the Federal Government in accordance with subsection (b):

                    `(A) Library circulation records.

                    `(B) Library patron lists.

                    `(C) Book sales records.

                    `(D) Book customer lists.

                    `(E) Firearms sales records.

                    `(F) Tax return records.

                    `(G) Educational records.

                    `(H) Medical records.

                `(5) NOTIFICATION OF NON-CYBER THREAT INFORMATION- If a department or agency of the Federal Government receiving information pursuant to subsection (b)(1) determines that such information is not cyber threat information, such department or agency shall notify the entity or provider sharing such information pursuant to subsection (b)(1).

                `(6) RETENTION AND USE OF CYBER THREAT INFORMATION- No department or agency of the Federal Government shall retain or use information shared pursuant to subsection (b)(1) for any use other than a use permitted under subsection (c)(1).

                `(7) PROTECTION OF INDIVIDUAL INFORMATION- The Federal Government may, consistent with the need to protect Federal systems and critical information infrastructure from cybersecurity threats and to mitigate such threats, undertake reasonable efforts to limit the impact on privacy and civil liberties of the sharing of cyber threat information with the Federal Government pursuant to this subsection.

        Paragraph 1(b) is a provision that requires a warrant and probable cause. Nobody is permitted to investigate or collect evidence without a warrant. Probable cause is a prerequisite to get a warrant.

        The feds are prohibited to go fishing for crimes or evidence. Spying is prohibited by this limitation.

        (2) AFFIRMATIVE SEARCH RESTRICTION- The Federal Government may not affirmatively search cyber threat information shared with the Federal Government under subsection (b) for a purpose other than a purpose referred to in paragraph (1)(B)
        This provision only applies to information collected while an active warrant is in place. A criminal investigation must be authorized first. Otherwise, the FISA provisions would need to be invoked to permit selective "wiretapping". Again, FISA doesn't permit unlimited spying. It requires specific targets.

        It seems that they added a provision that lets you sue the feds if they violate any of these provisions.

           (d) Federal Government Liability for Violations of Restrictions on the Disclosure, Use, and Protection of Voluntarily Shared Information-

                `(1) IN GENERAL- If a department or agency of the Federal Government intentionally or willfully violates subsection (b)(3)(C) or subsection (c) with respect to the disclosure, use, or protection of voluntarily shared cyber threat information shared under this section, the United States shall be liable to a person adversely affected by such violation in an amount equal to the sum of--

                    `(A) the actual damages sustained by the person as a result of the violation or $1,000, whichever is greater; and

                    `(B) the costs of the action together with reasonable attorney fees as determined by the court.

        All actions taken in sharing cyber security information get reported to Congress.
        (1) REPORT- The Inspector General of the Intelligence Community shall annually submit to the congressional intelligence committees a report containing a review of the use of information shared with the Federal Government under this section..... [a list of details follows]
        Yes, it's public information (also available through FOIA in another provision)
        ...paragraph (1) shall be submitted in unclassified form...
        Once a warrent is in place, this is the information that gets shared.
               (4) CYBER THREAT INFORMATION-

                    `(A) IN GENERAL- The term `cyber threat information' means information directly pertaining to--

                        `(i) a vulnerability of a system or network of a government or private entity;

                        `(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network;

                        `(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or

                        `(iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity.

                    `(B) EXCLUSION- Such term does not include information pertaining to efforts to gain unauthorized access to a system or network of a government or private entity that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access.

        When they say "crime", they mean this:
        (6) CYBERSECURITY CRIME- The term `cybersecurity crime' means--

                    `(A) a crime under a Federal or State law that involves--

                        `(i) efforts to deny access to or degrade, disrupt, or destroy a system or network;

                        `(ii) efforts to gain unauthorized access to a system or network; or

                        `(iii) efforts to exfiltrate information from a system or network without authorization; or

                    `(B) the violation of a provision of Federal law relating to computer crimes, including a violation of any provision of title 18, United States Code, created or amended by the Computer Fraud and Abuse Act of 1986 (Public Law 99-474).

        Rather than cut and paste the whole text of the bill, you can read it all here.

        You might notice that the words "intellectual property" don't appear anywhere in this bill. The hype is being hyped using quotes that don't exist in the bill.

        An ISP is not a cyber security provider although an ISP might use softwar4e provided by one of these entities. Making up a scenario where an ISP uses a cyber security provider in order to spy on its own customers is probably a bad business plan. It's illegal and it's laughably absurd.

        Oh yeah. The notwithstanding phrase is boilerplate. It's helpful to substitute the word "however". In the context of this bill, the provision means that once the parties agree to share cyber threat info (within the constraints of a formal investigation - and a warrant) then any other laws that would prevent such sharing of info are to be disregarded. The agreement to share info is the superior provision of law. If you agree to share, then no other hurdles are in the way. This phrase appears somewhere in many laws. It prevents mistrials due to technicalities, mostly.

        It's hard to twist this bill into a law that permits unrestricted spying or an attempt to criminalize minor copyright complaints,  don't you think?

        But go ahead and mine for snippets in the bill that support whatever it is that you want to believe if that's what floats your boat. There's nothing there, though.

        "All people are born alike - except Republicans and Democrats" - Groucho Marx

        by GrumpyOldGeek on Mon Apr 30, 2012 at 01:57:07 AM PDT

        [ Parent ]

        •  Actually, it was quite easy. It appears they (0+ / 0-)

          have changed it from the version I have read (H.R.3523.RH) to remove the intellectual property part.  It looks like they changed that to the harder to use "efforts to exfiltrate information from a system or network without authorization" which prevents collecting and monitoring data to check torrents and youtube posts.  Oh,  and neither the "(5) RELATIONSHIP TO OTHER LAWS REQUIRING THE DISCLOSURE OF INFORMATION" clauses or the terms of service clause were present either.  However, there is still no equivalent to the "Federal Government Liability for Violations of Restrictions on the Disclosure, Use, and Protection of Voluntarily Shared Information" and the whole "good faith" wording is too vague.  In other words, if a cybersecurity provider (let's say Cisco) were to set up a system for an ISP to check all websites visited, emails sent, and blog/forum posts for certain keywords (vulnerability, exploit, etc) and then send that information to the federal government the only result would be a metric buttload of "notices of non-cyber threat information" being sent.  Remember, a program that checks for "*box*" and then sends out a DMCA takedown notice have been considered to be "in good faith" before despite being overly broad and guaranteed to be wrong most of the time (intended to search for the move "the box" but even caused problems for box.com and dropbox).

          From - H.R.3523.RH

          (2) CYBER THREAT INFORMATION- The term `cyber threat information' means information directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from--

           `(A) efforts to degrade, disrupt, or destroy such system or network; or

           `(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

          There is no saving throw against stupid.

          by Throw The Bums Out on Mon Apr 30, 2012 at 03:56:58 AM PDT

          [ Parent ]

          •  You're getting closer - I'll try to clarify (0+ / 0-)

            First, on the liability topic, I recall seeing a new provision in the bill. A remedy for government privacy violations. You can sue. Actual damages and costs only. A two year limitation. And it's the sole remedy. That's worthless, of course.

            Let's look at this from a more practical perspective. We're going to do a little sleuthing to analyze a realistic cyber crime and try to relate the various activities to the laws that apply.

            Your ISP scenario provide a starting point. This part:

            ...if a cybersecurity provider (let's say Cisco) were to set up a system for an ISP to check all websites visited, emails sent, and blog/forum posts for certain keywords (vulnerability, exploit, etc) and then send that information to the federal government...
            This scenario is already allowed and perfectly legal. This doesn't even need a court order or a warrant or any suspicion of criminal activity. There really isn't a need for a cyber security provider in this scenario. Individuals and businesses can record and analyze anything and everything. I can use any hacker tools and techniques I want. No crime and no investigation is warranted. CISPA does not kick in.

            If I use any of this information to commit any kind of crime or if I publish or sell personal identity information, I've not only violated those laws, I've probably added a cyber crime violation of some variety to the list. Current law covers everything. CISPA provisions might be an option, but it doesn't automatically kick in.

            In case you don't know, every email service on the planet scans through everything. Several email services, mostly the "free" ones (AOL, Gmail, Yahoo, etc.) admit to analyzing email and everything else and they say they use it to extract trends, regional events, etc. They sell this information to advertisers and other customers. Way down in the fine print of their privacy boilerplate, you'll find a few exceptions to their general feel-good bullshit. Google NEVER provides personal information to ANYONE. (except certain paid clients). I'm paraphrasing, but it's a fact. I've worked with one of these "certain": clients. With enough money, you can buy anything. You can be certain that Google knows more about you than the government does.

            Yes, the NSA and others collect massive amounts of traffic and analyze the daylights out of it. The Patriot Act opened up this can of worms. And Bush overreached and broke laws big time. The worst of the abuse isn't done any more, but it's important to understand that every single bit of foreign traffic is monitored, recorded, and analyzed. A great deal of domestic traffic is certain to be included in this massive secret government insecurity cabal.

            This is the most abusive act of all.

            A little technical aside: The federal security standards provide confusing definitions for various cyber security terms. It's helpful to think of the cyber security provider as a service organization or an individual expert. Cyber security information refers to data and derived information. This is the shared information described in the bill. A Cisco router is a cyber security data collection component rather than a provider. The bill depends on such subtleties.

            Now let's talk about the government side of this scenario and where the CISPA bill kicks in.

            Government agencies can NOT do any of these spying and data collection activities without a court order or other Patriot Act provisions apply.

            The Patriot Act is all about terrorism and foreign intelligence Domestic spying is limited and FISA procedures can be used.

            Technically, the government is not allowed to spy on citizens domestically. But they have ways to get around these things.

            They can ask me to help out. I have helped out a couple of times.

            Private individuals do not have many of the restrictions imposed on government agencies. I can use most of the usual hacker toolset and the government, in general, cannot. A few agencies and some specific private organizations exist that are scary-brilliant and far ahead of the curve, but most aren't into the world of cyber crime,

            I can't steal their stuff, of course. I can't violate any laws, computer privacy laws include. But I can learn much more about them than one would think.

            Government agencies, their contractors, and other third parties can ask me to volunteer my services. They just can't pay me.

            Everyone can and should report a crime or suspicious activity. Cyber crime is a crime.

            Let's see when the CISPA bill would kick in.

            CISPA doesn't kick in until a criminal investigation begins,

            If I provide a tip to the FBI, for example, they might decide to begin an investigation. If they determine that they have probable cause, get a warrant, and the investigation is regarding a criminal offense, then CISPA kicks in.

            Now the feds can contact security providers and ask for data that's specifically about the target of the investigation. Private security organizations can agree to share information. Federal agencies can engage other federal agencies to assist and share information. This is similar to the sharing allowed under the Patriot Act, but it applies to domestic cyber crime investigations.

            If the investigation involves classified information, then security clearances can be bypassed. Personally, I think this one provision is cause to abandon the whole thing. It's about as stupid as it can get in the world of security.

            CISPA just isn't a big government spying operation.

            "All people are born alike - except Republicans and Democrats" - Groucho Marx

            by GrumpyOldGeek on Mon Apr 30, 2012 at 07:16:25 PM PDT

            [ Parent ]

  •  Big Brother (1+ / 0-)
    Recommended by:
    LeftOverAmerica

    Why don't they literally cut and paste the text of 1984 into a bill and pass that?

    "You can't run a country by a book of religion. Dumb all over, a little ugly on the side." Frank Zappa

    by Uosdwis on Sun Apr 29, 2012 at 02:14:28 PM PDT

  •  So (0+ / 0-)

    Doesn't this allow us to do it to them as well?   Why can't we form a non-profit and then start collecting the private information on, say, Eric Holder, Eric Cantor or David Koch?  Why can't we then share this information with each other?  

    I personally think that David Koch is a threat to the bodily and psychological well being of children.  

    So why can't we gather up his cell phone records, his text messages, his e-mail messages and then publicize ("share") them?

    I'm all for it.  No privacy for us; no privacy for them.

    This aggression will not stand, man.

    by kaleidescope on Sun Apr 29, 2012 at 06:13:26 PM PDT

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site