Simple Question: What Cyberattack Would The New Cybersecurity Bill Have Stopped?
from the until-you-can-answer-that... dept
Last week, the Senate Intelligence Committee voted (in secret, of course) to approve a new cybersecurity bill, dubbed CISA (as it was in the last Congress), though it kept the content of the actual bill secret until this week. The only Senator who voted against it was… Senator Wyden, of course, who rightly pointed out that this bill is “not a cybersecurity bill ? it?s a surveillance bill by another name.”
The good folks over at the EFF have a rundown on why the bill is terrible:
Aside from its redundancy, the Senate Intelligence bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures (now called “defensive measures” in the bill) for a “cybersecurity purpose” against a “cybersecurity threat.” “Cybersecurity purpose” is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a “cybersecurity threat,” which includes anything that “may result” in an unauthorized effort to impact the availability of the information system.
Even with the changed language, it’s still unclear what restrictions exist on “defensive measures.” Since the definition of “information system” is inclusive of files and software, can a company that has a file stolen from them launch “defensive measures” against the thief’s computer? What’s worse, the bill may allow such actions as long as they don’t cause “substantial” harm. The bill leaves the term “substantial” undefined. If true, the
countermeasures“defensive measures” clause could increasingly encourage computer exfiltration attacks on the Internet?a prospect that may appeal to some “active defense” (aka offensive) cybersecurity companies, but does not favor the everyday user.Second, the bill adds a new authority for companies to monitor information systems to protect an entity’s hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called ?cyber threat indicators,? freely with government agencies like the NSA.
Also, the bill goes away from previous cybersecurity bills that put Homeland Security in charge (which, by itself, isn’t great, but DHS is the best option if you’re debating between DHS, the NSA and the FBI). While the information still goes to DHS under this bill, DHS doesn’t then get to parse through it and figure out where it goes. Instead, the info needs to be shared “in real time” with the NSA. All of which just gives weight to the fact that this is a surveillance bill, not a bill to protect against “cybersecurity attacks.”
But if you want to know the single biggest reason why this bill is bogus: ask those supporting it what cybersecurity attack this bill would have stopped. And you’ll notice they don’t have an answer. That’s because it’s not a cybersecurity bill at all. It’s just a bill to try to give the government more access to your user info.
Filed Under: cisa, cybersecurity, dhs, information sharing, nsa, ron wyden, senate intelligence committee, surveillance
Comments on “Simple Question: What Cyberattack Would The New Cybersecurity Bill Have Stopped?”
You can’t let spy agencies in charge of your security. I don’t care that they have 90 percent of world’s “cyber” expertize (which they don’t) – they are just completely INCOMPATIBLE with the security mission.
NSA’s mission = hacking and surveillance
Cybersecurity = encryption and UNBREAKABLE security design
See how the two are INCOMPATIBLE?
A civil and transparent agency should be in charge cybersecurity. And by transparent, I don’t mean Obama’s type of Transparency™
A flippant answer would be “none” since the bill is just that, a bill that has not been enacted into law. Moreover, even if enacted the bill itself will not stop attacks, because that can only be done by people using technological and physical measures effective to thwart such untoward activities by persons intent upon breaching computer systems. What the bill is apparently intended to do, at least in part, it to provide potential victims with what I would term a “digital right of self-defense” that does not run afoul of current law.
I understand the criticisms leveled by people over at the EFF, but what they say about generalities is true of every piece of legislation passed by every federal and state legislative body since laws were first committed to writing. To be accurate, the only “perfect” bill is one that is never enacted…but in a society as ours that is based upon the rule of law that is not possible, so flexibility in language must be provided and tolerated.
Re: Re:
That doesn’t change the fact it’s still a bad bill. See language is important and according to the bill the language used is so broad that much like the CFAA it can be so easily abused.
And again, this is being pushed as a cyberSECURITY bill which by definition (ie most sensible people) means protecting and encrypting systems so they can’t be hacked into. What this bill does is the exact opposite, all it does is allow companies to “hack back” (something they ALREADY can do) and allow MORE of your personal information to be data-minded by the NSA.
You notice the contradiction? That’ because it’s not a cybersecurity bill but a surveillance bill wearing the trappings of cybersecurity.
We can have good security without sacrificing privacy but this bill is not the way to go and solves nothing.
Does that mean companies can launch “defensive measures” against the NSA and other Govt agencies that are deliberately trying to weaken security online by undermining encryption systems and others?
Oh wait, this bill isn’t about cybersecurity after all.
Re: Re:
Hmmmmm, since “defensive measures”, “cybersecurity threat”, and “cybersecurity purposes” are so vaguely defined, a good lawyer could effectively make this open season on the NSA (cybersecurity threat) for any yahoo who can form a company and hack/DDoS them (defensive measures) in an attempt to disrupt their spying operations (cybersecurity purpose). I have a feeling it will get repealed soon after their spying apparatus gets hammered by Anonymous, Inc. completely legally.
Feds to states: Go ahead and ignore state law
What the fuck gives the federal government the authority to relieve any agency of the State of Washington from that state agencies’ obligation to fully obey Washington law?
What the fucking fuck-fuck?
Where does it say that in the federal Constitution? It doesn’t.
Re: Feds to states: Go ahead and ignore state law
Amendment X
The powers not delegated to the United States by the Constitution, nor prohibited by it to the states, are reserved to the states respectively, or to the people.
(See commentary: “… Congress may not ‘commandeer’ state regulatory processes by ordering states to enact or administer a federal regulatory program…”).
Re: Feds to states: Go ahead and ignore state law
YO! CALIFORNIA! HEY YOU! OVER THERE!
What does California have to say about this? Access to public records is written into the California Constitution. Do the feds have some sort of free-floating, untethered authority to tell your state’s agencies to ignore your state’s constitution?
What does California have to say about this?
Re: Re: Feds to states: Go ahead and ignore state law
“Do the feds have some sort of free-floating, untethered authority…”
Does the recently, secretly rewritten (due to 9/11) Constitution of the United States count?
—
Re: Feds to states: Go ahead and ignore state law
they don’t give a dam about the constitution any more than Stalin cared about the sanctity of all life.
Re: Feds to states: Go ahead and ignore state law
We are sorry, but as an American citizen, recently reclassified as “The Adversary”, you are not allowed to read the section of the New Corporate Constitution of the United States of America that pertains to the Federal Authority to relieve any agency of the State of Washington from that state agencies’ obligation to fully obey Washington law, or for that matter, any other state in the union?
However, be assured that we do now have the right to do exactly that, and many other things that the old outdated pre-9/11 Constitution did not allow.
You can trust us when we say that this is entirely for your benefit.
USG
—
The NSA already has "direct access" to Google...
According to Snowden. — So how much more can there be? Even the block quote mentions redundancy. — Don’t worry about the RE-dundance when you’re not calling for the dundance to be RE-moved. — Be a leader, Masnick, and suggest some action to roll back the present criminality, not just write up another lame report of more loss.
Re: The NSA already has "direct access" to Google...
Mike’s job is to report malfeasance, not to correct it. Want leadership? Look in the mirror. There’s your boss. Now think for yourself.
C'mon, use the right terms!
> … to launch countermeasures (now called “defensive measures” in the bill) for a “cybersecurity purpose” against a “cybersecurity threat.”
Everyone knows this is called “ICE”. Data walls, Code Gates, Traces, Sentries, though it’ll be a while before we get the mind-computer interfaces that would make Black Ice a reality.
Ah, the smell of a Cortical Scrub in the morning…
Re: C'mon, use the right terms!
“Ah, the smell of a Cortical Scrub in the morning…”
You only THINK you smell it… 🙂
Someone's cheering, and it's not just the spies
Allowing companies to ‘fight back’ is a recipe for disaster and massive collateral damage, given most major hacks or DDOS attacks are likely to be carried out by compromised computers and networks, with the owners of those computers/networks completely innocent of anything more heinous than clicking on the wrong link or visiting the wrong site.
Feel like double-trolling someone you don’t like? Use their computer/network in an attack, and then watch as the ‘counter-attack’ results in it being even more broken than before.
Re: Someone's cheering, and it's not just the spies
Think everybody pirates your files…..
Re: Someone's cheering, and it's not just the spies
Well, sure, and since players are more likely to spend money on such a thing rather than actually securing anything in the first place, I’m sure it would make for interesting times when everyone can cyberstand their cyberground.
Re: Someone's cheering, and it's not just the spies
Allowing corporate entities to attack computers they think might cause them grief, or blanket assault a network because of a DDOS attack on their systems, will inevitably lead directly to publically produced reflection and retaliation technology.
This is of course the whole plan.
Once the public starts to react to having their computers wiped by Pissco or Microsloth because someone, somewhere – most likely CIAF BINSA – linked their box as a zombie in an electronic attack on that company, the Surveillance Corporation, currently known as the CIAF BINSA, can “prove” the need for Cyber-security counter-measures and get better tax-payer funding for their next generation of assault wares and better “public” support for the whole concept of Retaliatory Cyber Security.
It will also “prove” to the tax-paying public, the need for “Retaliatory Cyber-Security” attack wares used by corporations.
If you want to make legislation that will be obviously unpopular because it pries into public privacy or decreases public communications security, you must first create a crime-laden environment that can be used to show why the legislation is necessary.
This is how all of the “War On ******” scams are created.
Its a tried and true business model.
—
Still Fighting The Last War
So…with our gov’t, we are constantly fighting the last war, with things like taking our shoes off because the last bomber wired his shoes.
Of course, it’s lame to merely be reactive, and to plan and prepare for the attacks that happened in the past. It is smarter, and thus I suggest that we instead prepare for the attacks that might happen in the future.
So now, our gov’t has leapfrogged my suggestion. Instead of fighting the last war, or the next one, we are putting up “defenses” for problems that never happened, and never will.
Re: Still Fighting The Last War
The best defense is being offensive.
Re: Re: Still Fighting The Last War
And the best offense is being defensive.
Though somehow I doubt the US willing to learn this particular piece of advice.
The answer is simple
However many false flags it takes to fool the public.