Cybersecurity Bill: Protecting Us From Attacks… Or Keeping Our Own Attacks Secret?
from the seems-quite-likely dept
We’ve been discussing the fight in the Senate over the latest version of the Cybersecurity Act. One of the things we mentioned is that, at 211-pages, it’s quite likely there are a ton of little “easter egg” gems in there that the public doesn’t want or need, but which we’ll be stuck with — and only discover way down the road. Paul Rosenzweig, over at the Lawfare Blog, may have turned up one of them, in trying to understand Section 706(d), which reads:
(d) DELAY OF NOTIFICATION AUTHORIZED FOR LAW ENFORCEMENT, NATIONAL SECURITY, OR HOMELAND SECURITY PURPOSES.—No civil or criminal cause of action shall lie or be maintained in any Federal or Statecourt against any entity, and any such action shall be dismissed promptly, for a failure to disclose a cybersecurity threat indicator if—
(1) the Attorney General or the Secretary determines that disclosure of a cybersecurity threat indicator would impede a civil or criminal investigation and submits a written request to delay notification for up to 30 days, except that the Attorney General or the Secretary may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary;
(2) the Secretary, the Attorney General, or the Director of National Intelligence determines that disclosure of a cybersecurity threat indicator would threaten national or homeland security and submits a written request to delay notification, except that the Secretary, the Attorney General, or the Director,may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary.
What’s odd about this? Well, it suggests that it says that companies might not get in legal trouble if they don’t disclose info. But, as we’re constantly reminded, the whole point of the info sharing from companies in this bill is that it’s voluntary. So there wouldn’t be any cause of action generally when they choose not to share. But, as Rosenzweig thinks through it, there is another scenario where this could come into play: if a company wanted to share info but was stopped — perhaps because that info implicated the US government itself:
I suppose there is another possibility as well – that they might want to stop temporarily the sharing of CTI when the threat being disclosed is one that has been created by …. Well, NSA. In fact, if you believe that, then the reason the government so much wants to be at the center of CTI sharing is not just to protect the public but also to protect its own methods.
This actually makes a fair amount of sense. Remember, the only two serious cases of digital attacks that we know of — Stuxnet and Flame — both appear to have originated from US government officials, and both eventually got out when security firms discovered their existence, and tried to make sense of the malware. So, perhaps part of the “urgency” in trying to pass this bill is to help silence researchers who discover what other malware the US government has put out itself!
Filed Under: attacks, cybersecurity, information sharing, nsa, privacy, secrecy
Comments on “Cybersecurity Bill: Protecting Us From Attacks… Or Keeping Our Own Attacks Secret?”
And now they’re even trying to turn the cybersecurity bill into a gun control bill through amendments…..
Re: Re:
Gun control, miniature SOPA-esque provisions, now this. It’s pretty clear at this point that the bill was first presented as a version that “addressed” privacy concerns just so they could smuggle the really evil shit in there through amendments. Frankly, I am disgusted with these politicians (as if I wasn’t already). Vast majority of them are pretty much soulless scum and all about the power.
” So, perhaps part of the “urgency” in trying to pass this bill is to help silence researchers who discover what other malware the US government has put out itself!”
This site needs a tin foil hat smiley. This is beyond silly.
Re: Re:
“This is beyond silly.”
Yeah! Because the US never released malware, and would never want to keep its cyber espionage secret.
Tinfoil indeed.
Re: Re:
Why is it silly? We know for a solid fact that the US government creates and distributes malware for use against entities it considers targets. It seems logical that they would want to take steps to keep any specific action a secret.
This isn’t tinfoil hat territory at all.
Re: Re: Re:
It’s more of a fedora kind of site.
Re: Re: Re: Re:
Is it a red fedora?
Re: Re:
Consipracy theories are only tinfoil hat worthy when you don’t have proof of one. And it just so happens the only “cyberwar” malware was put out by our own goverment.
That’s far more evidence than the anti big search crowd
who claim google is in control of both the deafeat of SOPA and is controlling MIke have.
Re: Re:
1/10 for Insightful. Any counter arguments or points of debate? Or is that all we get?
Re: Re:
This AC needs a few slaps on the face to wake up from his dream world.
Re: Re: Re:
This from the guy who appears to be wallowing in the fool-aid.
Mike denies cyberwar over and over again, and now raises the thought of it when it suits him. How quaint!
Re: Re: Re: Re:
You half-wit! If the only “cyberwar” that exists comes from our own government then who is this war really against?
Re: Re: Re: Re:
Where did Mike say “cyberwar”?
Re: Re: Re:2 Re:
As far as my browser’s search function can devine, “cyber war”/”cyberwar” is only mentioned by random commenters and not Mike himself.
it’s definitely to keep secret the invasion of privacy being executed on our own people. any and all so-called security bills are meant to do the same thing with the addition of stopping the people from finding out what the government is really up to, so corrupt politicians and corporation execs can continue to line their own pockets at the expense of others.
Weren’t most of these security firms from other countries?
So you just think this is a way to stop companies from revealing government info? Perhaps you are looking too closely into this. I Hope.
A few things for sure, whoever wrote this section knows exactly what they want and most people wouldn’t agree with it. It’s meant to be obscure and hard to define – until put in action. Then we will know what they meant.
The Patriot Act for the internet?
The US government is lawless and rogue. They like to dot their “i”s and cross their “t”s legislatively, but let’s not forget that if they are just as happy to ignore, twist and abuse the law if it happens to be inconvenient to follow it in good faith.
Any time they get a case they don’t quite know what to do with it seems it always comes back to a national security issue.
I would like to remind readers that not to long ago, the US military claimed that a cyber attack was the same as provocation for war. In essence the US has through the release of cyber attacks already declared war on Iran.