Cybersecurity Bill: Protecting Us From Attacks... Or Keeping Our Own Attacks Secret?

from the seems-quite-likely dept

We've been discussing the fight in the Senate over the latest version of the Cybersecurity Act. One of the things we mentioned is that, at 211-pages, it's quite likely there are a ton of little "easter egg" gems in there that the public doesn't want or need, but which we'll be stuck with -- and only discover way down the road. Paul Rosenzweig, over at the Lawfare Blog, may have turned up one of them, in trying to understand Section 706(d), which reads:
(d) DELAY OF NOTIFICATION AUTHORIZED FOR LAW ENFORCEMENT, NATIONAL SECURITY, OR HOMELAND  SECURITY PURPOSES.—No civil or criminal cause of action shall lie or be maintained in any Federal or Statecourt against any entity, and any such action shall be dismissed promptly, for a failure to disclose a cybersecurity threat indicator if—
(1) the Attorney General or the Secretary determines that disclosure of a cybersecurity threat indicator would impede a civil or criminal investigation and submits a written request to delay notification for up to 30 days, except that the Attorney General or the Secretary may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary;

(2) the Secretary, the Attorney General, or the Director of National Intelligence determines that disclosure of a cybersecurity threat indicator would threaten national or homeland security and submits a written request to delay notification, except that  the Secretary, the Attorney General, or the Director,may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary.
What's odd about this? Well, it suggests that it says that companies might not get in legal trouble if they don't disclose info. But, as we're constantly reminded, the whole point of the info sharing from companies in this bill is that it's voluntary. So there wouldn't be any cause of action generally when they choose not to share. But, as Rosenzweig thinks through it, there is another scenario where this could come into play: if a company wanted to share info but was stopped -- perhaps because that info implicated the US government itself:
I suppose there is another possibility as well – that they might want to stop temporarily the sharing of CTI when the threat being disclosed is one that has been created by .... Well, NSA. In fact, if you believe that, then the reason the government so much wants to be at the center of CTI sharing is not just to protect the public but also to protect its own methods.
This actually makes a fair amount of sense. Remember, the only two serious cases of digital attacks that we know of -- Stuxnet and Flame -- both appear to have originated from US government officials, and both eventually got out when security firms discovered their existence, and tried to make sense of the malware. So, perhaps part of the "urgency" in trying to pass this bill is to help silence researchers who discover what other malware the US government has put out itself!


Reader Comments (rss)

(Flattened / Threaded)

  •  
    icon
    Dementia (profile), Jul 31st, 2012 @ 8:18am

    And now they're even trying to turn the cybersecurity bill into a gun control bill through amendments.....

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      The Luke Witnesser, Jul 31st, 2012 @ 8:38am

      Re:

      Gun control, miniature SOPA-esque provisions, now this. It's pretty clear at this point that the bill was first presented as a version that "addressed" privacy concerns just so they could smuggle the really evil shit in there through amendments. Frankly, I am disgusted with these politicians (as if I wasn't already). Vast majority of them are pretty much soulless scum and all about the power.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 31st, 2012 @ 8:39am

    " So, perhaps part of the "urgency" in trying to pass this bill is to help silence researchers who discover what other malware the US government has put out itself!"

    This site needs a tin foil hat smiley. This is beyond silly.

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      weneedhelp (profile), Jul 31st, 2012 @ 8:49am

      Re:

      "This is beyond silly."
      Yeah! Because the US never released malware, and would never want to keep its cyber espionage secret.

      Tinfoil indeed.

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      John Fenderson (profile), Jul 31st, 2012 @ 8:51am

      Re:

      Why is it silly? We know for a solid fact that the US government creates and distributes malware for use against entities it considers targets. It seems logical that they would want to take steps to keep any specific action a secret.

      This isn't tinfoil hat territory at all.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Jul 31st, 2012 @ 8:55am

      Re:

      Consipracy theories are only tinfoil hat worthy when you don't have proof of one. And it just so happens the only "cyberwar" malware was put out by our own goverment.

      That's far more evidence than the anti big search crowd
      who claim google is in control of both the deafeat of SOPA and is controlling MIke have.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Another AC, Jul 31st, 2012 @ 8:55am

      Re:

      1/10 for Insightful. Any counter arguments or points of debate? Or is that all we get?

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Ninja (profile), Jul 31st, 2012 @ 9:34am

      Re:

      This AC needs a few slaps on the face to wake up from his dream world.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        Anonymous Coward, Jul 31st, 2012 @ 10:34am

        Re: Re:

        This from the guy who appears to be wallowing in the fool-aid.

        Mike denies cyberwar over and over again, and now raises the thought of it when it suits him. How quaint!

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 31st, 2012 @ 8:41am

    it's definitely to keep secret the invasion of privacy being executed on our own people. any and all so-called security bills are meant to do the same thing with the addition of stopping the people from finding out what the government is really up to, so corrupt politicians and corporation execs can continue to line their own pockets at the expense of others.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 31st, 2012 @ 9:31am

    Remember, the only two serious cases of digital attacks that we know of -- Stuxnet and Flame -- both appear to have originated from US government officials, and both eventually got out when security firms discovered their existence, and tried to make sense of the malware.


    Weren't most of these security firms from other countries?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 31st, 2012 @ 9:34am

    So you just think this is a way to stop companies from revealing government info? Perhaps you are looking too closely into this. I Hope.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 31st, 2012 @ 11:29am

    A few things for sure, whoever wrote this section knows exactly what they want and most people wouldn't agree with it. It's meant to be obscure and hard to define - until put in action. Then we will know what they meant.

    The Patriot Act for the internet?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 31st, 2012 @ 6:00pm

    The US government is lawless and rogue. They like to dot their "i"s and cross their "t"s legislatively, but let's not forget that if they are just as happy to ignore, twist and abuse the law if it happens to be inconvenient to follow it in good faith.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Jul 31st, 2012 @ 8:45pm

    Any time they get a case they don't quite know what to do with it seems it always comes back to a national security issue.

    I would like to remind readers that not to long ago, the US military claimed that a cyber attack was the same as provocation for war. In essence the US has through the release of cyber attacks already declared war on Iran.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This