Simple Question: What Cyberattack Would The New Cybersecurity Bill Have Stopped?

from the until-you-can-answer-that... dept

Last week, the Senate Intelligence Committee voted (in secret, of course) to approve a new cybersecurity bill, dubbed CISA (as it was in the last Congress), though it kept the content of the actual bill secret until this week. The only Senator who voted against it was… Senator Wyden, of course, who rightly pointed out that this bill is “not a cybersecurity bill ? it?s a surveillance bill by another name.”

The good folks over at the EFF have a rundown on why the bill is terrible:

Aside from its redundancy, the Senate Intelligence bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures (now called “defensive measures” in the bill) for a “cybersecurity purpose” against a “cybersecurity threat.” “Cybersecurity purpose” is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a “cybersecurity threat,” which includes anything that “may result” in an unauthorized effort to impact the availability of the information system.

Even with the changed language, it’s still unclear what restrictions exist on “defensive measures.” Since the definition of “information system” is inclusive of files and software, can a company that has a file stolen from them launch “defensive measures” against the thief’s computer? What’s worse, the bill may allow such actions as long as they don’t cause “substantial” harm. The bill leaves the term “substantial” undefined. If true, the countermeasures “defensive measures” clause could increasingly encourage computer exfiltration attacks on the Internet?a prospect that may appeal to some “active defense” (aka offensive) cybersecurity companies, but does not favor the everyday user.

Second, the bill adds a new authority for companies to monitor information systems to protect an entity’s hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called ?cyber threat indicators,? freely with government agencies like the NSA.

Also, the bill goes away from previous cybersecurity bills that put Homeland Security in charge (which, by itself, isn’t great, but DHS is the best option if you’re debating between DHS, the NSA and the FBI). While the information still goes to DHS under this bill, DHS doesn’t then get to parse through it and figure out where it goes. Instead, the info needs to be shared “in real time” with the NSA. All of which just gives weight to the fact that this is a surveillance bill, not a bill to protect against “cybersecurity attacks.”

But if you want to know the single biggest reason why this bill is bogus: ask those supporting it what cybersecurity attack this bill would have stopped. And you’ll notice they don’t have an answer. That’s because it’s not a cybersecurity bill at all. It’s just a bill to try to give the government more access to your user info.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Simple Question: What Cyberattack Would The New Cybersecurity Bill Have Stopped?”

Subscribe: RSS Leave a comment
Anonymous Coward says:

You can’t let spy agencies in charge of your security. I don’t care that they have 90 percent of world’s “cyber” expertize (which they don’t) – they are just completely INCOMPATIBLE with the security mission.

NSA’s mission = hacking and surveillance

Cybersecurity = encryption and UNBREAKABLE security design

See how the two are INCOMPATIBLE?

A civil and transparent agency should be in charge cybersecurity. And by transparent, I don’t mean Obama’s type of Transparency™

Anonymous Coward says:

A flippant answer would be “none” since the bill is just that, a bill that has not been enacted into law. Moreover, even if enacted the bill itself will not stop attacks, because that can only be done by people using technological and physical measures effective to thwart such untoward activities by persons intent upon breaching computer systems. What the bill is apparently intended to do, at least in part, it to provide potential victims with what I would term a “digital right of self-defense” that does not run afoul of current law.

I understand the criticisms leveled by people over at the EFF, but what they say about generalities is true of every piece of legislation passed by every federal and state legislative body since laws were first committed to writing. To be accurate, the only “perfect” bill is one that is never enacted…but in a society as ours that is based upon the rule of law that is not possible, so flexibility in language must be provided and tolerated.

Anonymous Coward says:

Re: Re:

That doesn’t change the fact it’s still a bad bill. See language is important and according to the bill the language used is so broad that much like the CFAA it can be so easily abused.

And again, this is being pushed as a cyberSECURITY bill which by definition (ie most sensible people) means protecting and encrypting systems so they can’t be hacked into. What this bill does is the exact opposite, all it does is allow companies to “hack back” (something they ALREADY can do) and allow MORE of your personal information to be data-minded by the NSA.

You notice the contradiction? That’ because it’s not a cybersecurity bill but a surveillance bill wearing the trappings of cybersecurity.

We can have good security without sacrificing privacy but this bill is not the way to go and solves nothing.

Just Another Anonymous Troll says:

Re: Re:

Hmmmmm, since “defensive measures”, “cybersecurity threat”, and “cybersecurity purposes” are so vaguely defined, a good lawyer could effectively make this open season on the NSA (cybersecurity threat) for any yahoo who can form a company and hack/DDoS them (defensive measures) in an attempt to disrupt their spying operations (cybersecurity purpose). I have a feeling it will get repealed soon after their spying apparatus gets hammered by Anonymous, Inc. completely legally.

Anonymous Coward says:

Feds to states: Go ahead and ignore state law


 . . . .
A cyber threat indicator shared with a State, tribal, or local government under this section shall

 . . . .
(ii) exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records.

What the fuck gives the federal government the authority to relieve any agency of the State of Washington from that state agencies’ obligation to fully obey Washington law?

What the fucking fuck-fuck?

Where does it say that in the federal Constitution? It doesn’t.

Anonymous Coward says:

Re: Feds to states: Go ahead and ignore state law

Amendment X

The powers not delegated to the United States by the Constitution, nor prohibited by it to the states, are reserved to the states respectively, or to the people.


(See commentary: “… Congress may not ‘commandeer’ state regulatory processes by ordering states to enact or administer a federal regulatory program…”).

Anonymous Coward says:

Re: Feds to states: Go ahead and ignore state law


What does California have to say about this? Access to public records is written into the California Constitution. Do the feds have some sort of free-floating, untethered authority to tell your state’s agencies to ignore your state’s constitution?

What does California have to say about this?

GEMont (profile) says:

Re: Feds to states: Go ahead and ignore state law

We are sorry, but as an American citizen, recently reclassified as “The Adversary”, you are not allowed to read the section of the New Corporate Constitution of the United States of America that pertains to the Federal Authority to relieve any agency of the State of Washington from that state agencies’ obligation to fully obey Washington law, or for that matter, any other state in the union?

However, be assured that we do now have the right to do exactly that, and many other things that the old outdated pre-9/11 Constitution did not allow.

You can trust us when we say that this is entirely for your benefit.


Anonymous Coward says:

The NSA already has "direct access" to Google...

According to Snowden. — So how much more can there be? Even the block quote mentions redundancy. — Don’t worry about the RE-dundance when you’re not calling for the dundance to be RE-moved. — Be a leader, Masnick, and suggest some action to roll back the present criminality, not just write up another lame report of more loss.

Anonymous Coward says:

C'mon, use the right terms!

> … to launch countermeasures (now called “defensive measures” in the bill) for a “cybersecurity purpose” against a “cybersecurity threat.”

Everyone knows this is called “ICE”. Data walls, Code Gates, Traces, Sentries, though it’ll be a while before we get the mind-computer interfaces that would make Black Ice a reality.

Ah, the smell of a Cortical Scrub in the morning…

That One Guy (profile) says:

Someone's cheering, and it's not just the spies

Allowing companies to ‘fight back’ is a recipe for disaster and massive collateral damage, given most major hacks or DDOS attacks are likely to be carried out by compromised computers and networks, with the owners of those computers/networks completely innocent of anything more heinous than clicking on the wrong link or visiting the wrong site.

Feel like double-trolling someone you don’t like? Use their computer/network in an attack, and then watch as the ‘counter-attack’ results in it being even more broken than before.

GEMont (profile) says:

Re: Someone's cheering, and it's not just the spies

Allowing corporate entities to attack computers they think might cause them grief, or blanket assault a network because of a DDOS attack on their systems, will inevitably lead directly to publically produced reflection and retaliation technology.

This is of course the whole plan.

Once the public starts to react to having their computers wiped by Pissco or Microsloth because someone, somewhere – most likely CIAF BINSA – linked their box as a zombie in an electronic attack on that company, the Surveillance Corporation, currently known as the CIAF BINSA, can “prove” the need for Cyber-security counter-measures and get better tax-payer funding for their next generation of assault wares and better “public” support for the whole concept of Retaliatory Cyber Security.

It will also “prove” to the tax-paying public, the need for “Retaliatory Cyber-Security” attack wares used by corporations.

If you want to make legislation that will be obviously unpopular because it pries into public privacy or decreases public communications security, you must first create a crime-laden environment that can be used to show why the legislation is necessary.

This is how all of the “War On ******” scams are created.

Its a tried and true business model.

Derek Kerton (profile) says:

Still Fighting The Last War

So…with our gov’t, we are constantly fighting the last war, with things like taking our shoes off because the last bomber wired his shoes.

Of course, it’s lame to merely be reactive, and to plan and prepare for the attacks that happened in the past. It is smarter, and thus I suggest that we instead prepare for the attacks that might happen in the future.

So now, our gov’t has leapfrogged my suggestion. Instead of fighting the last war, or the next one, we are putting up “defenses” for problems that never happened, and never will.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...