Simple Question: What Cyberattack Would The New Cybersecurity Bill Have Stopped?

from the until-you-can-answer-that... dept

Last week, the Senate Intelligence Committee voted (in secret, of course) to approve a new cybersecurity bill, dubbed CISA (as it was in the last Congress), though it kept the content of the actual bill secret until this week. The only Senator who voted against it was... Senator Wyden, of course, who rightly pointed out that this bill is "not a cybersecurity bill – it’s a surveillance bill by another name."

The good folks over at the EFF have a rundown on why the bill is terrible:

Aside from its redundancy, the Senate Intelligence bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures (now called "defensive measures" in the bill) for a "cybersecurity purpose" against a "cybersecurity threat." "Cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system.

Even with the changed language, it's still unclear what restrictions exist on "defensive measures." Since the definition of "information system" is inclusive of files and software, can a company that has a file stolen from them launch "defensive measures" against the thief's computer? What's worse, the bill may allow such actions as long as they don't cause "substantial" harm. The bill leaves the term "substantial" undefined. If true, the countermeasures "defensive measures" clause could increasingly encourage computer exfiltration attacks on the Internet—a prospect that may appeal to some "active defense" (aka offensive) cybersecurity companies, but does not favor the everyday user.

Second, the bill adds a new authority for companies to monitor information systems to protect an entity's hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.

Also, the bill goes away from previous cybersecurity bills that put Homeland Security in charge (which, by itself, isn't great, but DHS is the best option if you're debating between DHS, the NSA and the FBI). While the information still goes to DHS under this bill, DHS doesn't then get to parse through it and figure out where it goes. Instead, the info needs to be shared "in real time" with the NSA. All of which just gives weight to the fact that this is a surveillance bill, not a bill to protect against "cybersecurity attacks."

But if you want to know the single biggest reason why this bill is bogus: ask those supporting it what cybersecurity attack this bill would have stopped. And you'll notice they don't have an answer. That's because it's not a cybersecurity bill at all. It's just a bill to try to give the government more access to your user info.

Filed Under: cisa, cybersecurity, dhs, information sharing, nsa, ron wyden, senate intelligence committee, surveillance


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 20 Mar 2015 @ 9:44am

    You can't let spy agencies in charge of your security. I don't care that they have 90 percent of world's "cyber" expertize (which they don't) - they are just completely INCOMPATIBLE with the security mission.

    NSA's mission = hacking and surveillance

    Cybersecurity = encryption and UNBREAKABLE security design

    See how the two are INCOMPATIBLE?

    A civil and transparent agency should be in charge cybersecurity. And by transparent, I don't mean Obama's type of Transparency™

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 9:55am

    A flippant answer would be "none" since the bill is just that, a bill that has not been enacted into law. Moreover, even if enacted the bill itself will not stop attacks, because that can only be done by people using technological and physical measures effective to thwart such untoward activities by persons intent upon breaching computer systems. What the bill is apparently intended to do, at least in part, it to provide potential victims with what I would term a "digital right of self-defense" that does not run afoul of current law.

    I understand the criticisms leveled by people over at the EFF, but what they say about generalities is true of every piece of legislation passed by every federal and state legislative body since laws were first committed to writing. To be accurate, the only "perfect" bill is one that is never enacted...but in a society as ours that is based upon the rule of law that is not possible, so flexibility in language must be provided and tolerated.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2015 @ 10:11am

      Re:

      That doesn't change the fact it's still a bad bill. See language is important and according to the bill the language used is so broad that much like the CFAA it can be so easily abused.

      And again, this is being pushed as a cyberSECURITY bill which by definition (ie most sensible people) means protecting and encrypting systems so they can't be hacked into. What this bill does is the exact opposite, all it does is allow companies to "hack back" (something they ALREADY can do) and allow MORE of your personal information to be data-minded by the NSA.

      You notice the contradiction? That' because it's not a cybersecurity bill but a surveillance bill wearing the trappings of cybersecurity.

      We can have good security without sacrificing privacy but this bill is not the way to go and solves nothing.

      reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 20 Mar 2015 @ 10:02am

    Does that mean companies can launch "defensive measures" against the NSA and other Govt agencies that are deliberately trying to weaken security online by undermining encryption systems and others?

    Oh wait, this bill isn't about cybersecurity after all.

    reply to this | link to this | view in chronology ]

    • identicon
      Just Another Anonymous Troll, 23 Mar 2015 @ 9:33am

      Re:

      Hmmmmm, since "defensive measures", "cybersecurity threat", and "cybersecurity purposes" are so vaguely defined, a good lawyer could effectively make this open season on the NSA (cybersecurity threat) for any yahoo who can form a company and hack/DDoS them (defensive measures) in an attempt to disrupt their spying operations (cybersecurity purpose). I have a feeling it will get repealed soon after their spying apparatus gets hammered by Anonymous, Inc. completely legally.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 10:05am

    Feds to states: Go ahead and ignore state law

    (4) USE OF CYBER THREAT INDICATORS BY STATE, TRIBAL, OR LOCAL GOVERNMENT.—
     . . . .
    (B) EXEMPTION FROM DISCLOSURE.—
    A cyber threat indicator shared with a State, tribal, or local government under this section shall
    be—
     . . . .
    (ii) exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records.

    What the fuck gives the federal government the authority to relieve any agency of the State of Washington from that state agencies' obligation to fully obey Washington law?

    What the fucking fuck-fuck?

    Where does it say that in the federal Constitution? It doesn't.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2015 @ 10:38am

      Re: Feds to states: Go ahead and ignore state law

      Amendment X

      The powers not delegated to the United States by the Constitution, nor prohibited by it to the states, are reserved to the states respectively, or to the people.

       

      (See commentary: “... Congress may not ‘commandeer’ state regulatory processes by ordering states to enact or administer a federal regulatory program...”).

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2015 @ 11:05am

      Re: Feds to states: Go ahead and ignore state law

      YO! CALIFORNIA! HEY YOU! OVER THERE!

      What does California have to say about this? Access to public records is written into the California Constitution. Do the feds have some sort of free-floating, untethered authority to tell your state's agencies to ignore your state's constitution?

      What does California have to say about this?

      reply to this | link to this | view in chronology ]

      • icon
        GEMont (profile), 23 Mar 2015 @ 11:56am

        Re: Re: Feds to states: Go ahead and ignore state law

        "Do the feds have some sort of free-floating, untethered authority..."

        Does the recently, secretly rewritten (due to 9/11) Constitution of the United States count?

        ---

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2015 @ 12:20pm

      Re: Feds to states: Go ahead and ignore state law

      they don't give a dam about the constitution any more than Stalin cared about the sanctity of all life.

      reply to this | link to this | view in chronology ]

    • icon
      GEMont (profile), 23 Mar 2015 @ 12:04pm

      Re: Feds to states: Go ahead and ignore state law

      We are sorry, but as an American citizen, recently reclassified as "The Adversary", you are not allowed to read the section of the New Corporate Constitution of the United States of America that pertains to the Federal Authority to relieve any agency of the State of Washington from that state agencies' obligation to fully obey Washington law, or for that matter, any other state in the union?

      However, be assured that we do now have the right to do exactly that, and many other things that the old outdated pre-9/11 Constitution did not allow.

      You can trust us when we say that this is entirely for your benefit.

      USG

      ---

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 10:06am

    The NSA already has "direct access" to Google...

    According to Snowden. -- So how much more can there be? Even the block quote mentions redundancy. -- Don't worry about the RE-dundance when you're not calling for the dundance to be RE-moved. -- Be a leader, Masnick, and suggest some action to roll back the present criminality, not just write up another lame report of more loss.

    reply to this | link to this | view in chronology ]

    • identicon
      Pragmatic, 23 Mar 2015 @ 8:11am

      Re: The NSA already has "direct access" to Google...

      Mike's job is to report malfeasance, not to correct it. Want leadership? Look in the mirror. There's your boss. Now think for yourself.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 10:14am

    C'mon, use the right terms!

    > ... to launch countermeasures (now called "defensive measures" in the bill) for a "cybersecurity purpose" against a "cybersecurity threat."

    Everyone knows this is called "ICE". Data walls, Code Gates, Traces, Sentries, though it'll be a while before we get the mind-computer interfaces that would make Black Ice a reality.

    Ah, the smell of a Cortical Scrub in the morning...

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2015 @ 10:33am

      Re: C'mon, use the right terms!

      "Ah, the smell of a Cortical Scrub in the morning..."

      You only THINK you smell it... :-)

      reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 20 Mar 2015 @ 10:41am

    Someone's cheering, and it's not just the spies

    Allowing companies to 'fight back' is a recipe for disaster and massive collateral damage, given most major hacks or DDOS attacks are likely to be carried out by compromised computers and networks, with the owners of those computers/networks completely innocent of anything more heinous than clicking on the wrong link or visiting the wrong site.

    Feel like double-trolling someone you don't like? Use their computer/network in an attack, and then watch as the 'counter-attack' results in it being even more broken than before.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Mar 2015 @ 11:01am

      Re: Someone's cheering, and it's not just the spies

      Think everybody pirates your files.....

      reply to this | link to this | view in chronology ]

    • icon
      orbitalinsertion (profile), 20 Mar 2015 @ 12:00pm

      Re: Someone's cheering, and it's not just the spies

      Well, sure, and since players are more likely to spend money on such a thing rather than actually securing anything in the first place, I'm sure it would make for interesting times when everyone can cyberstand their cyberground.

      reply to this | link to this | view in chronology ]

    • icon
      GEMont (profile), 23 Mar 2015 @ 11:51am

      Re: Someone's cheering, and it's not just the spies

      Allowing corporate entities to attack computers they think might cause them grief, or blanket assault a network because of a DDOS attack on their systems, will inevitably lead directly to publically produced reflection and retaliation technology.

      This is of course the whole plan.

      Once the public starts to react to having their computers wiped by Pissco or Microsloth because someone, somewhere - most likely CIAF BINSA - linked their box as a zombie in an electronic attack on that company, the Surveillance Corporation, currently known as the CIAF BINSA, can "prove" the need for Cyber-security counter-measures and get better tax-payer funding for their next generation of assault wares and better "public" support for the whole concept of Retaliatory Cyber Security.

      It will also "prove" to the tax-paying public, the need for "Retaliatory Cyber-Security" attack wares used by corporations.

      If you want to make legislation that will be obviously unpopular because it pries into public privacy or decreases public communications security, you must first create a crime-laden environment that can be used to show why the legislation is necessary.

      This is how all of the "War On ******" scams are created. \

      Its a tried and true business model.

      ---

      reply to this | link to this | view in chronology ]

  • icon
    Derek Kerton (profile), 20 Mar 2015 @ 11:23am

    Still Fighting The Last War

    So...with our gov't, we are constantly fighting the last war, with things like taking our shoes off because the last bomber wired his shoes.

    Of course, it's lame to merely be reactive, and to plan and prepare for the attacks that happened in the past. It is smarter, and thus I suggest that we instead prepare for the attacks that might happen in the future.

    So now, our gov't has leapfrogged my suggestion. Instead of fighting the last war, or the next one, we are putting up "defenses" for problems that never happened, and never will.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Mar 2015 @ 2:23pm

    The answer is simple

    However many false flags it takes to fool the public.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.