Washington DC: where no bad idea ever truly dies. CISPA, the infamous "cybersecurity" bill that has twice failed to cross the President's desk is back again. This is the Senate's attempt at a cybersecurity bill, so it doesn't sport the same gaudy initials (those belong to the House), but it's still the same set of terrible ideas.
The Senate's previous attempts to write its own cybersecurity bill were supposedly prompted by privacy concerns, something the House version treated as wholly irrelevant to securing our nation from cyberattacks. This new bill may decide privacy is the only thing irrelevant to national security, seeing as it's been crafted by Dianne Feinstein and Saxby Chambliss, both largely supportive of the NSA's (recently exposed) activities.
The new bill sports the following title: Cybersecurity Information Sharing Act of 2014. CISPA without the "p," apparently. Out with the "protection" (which was nominal) and in with the oversharing of cyberthreat information.
The bill, like others before it, grants broad immunity to participating companies, stripping away one of the few reasons these entities might stick up for their customers (and their data) and consider plugging the security hole before turning that info over to both the military, national security agencies and, well, any number of government agencies or competitors. The text of the bill leaves that almost completely unspecified.
The new, 39-page draft bill, written by Sen. Dianne Feinstein (D-Calif.), chairman of the intelligence committee, and Sen. Saxby Chambliss (Ga.), the ranking Republican, states that no lawsuit may be brought against a company for sharing threat data with “any other entity or the federal government” to prevent, investigate or mitigate a cyberattack.
This immunity screws up incentives and encourages questionable behavior, as it to be expected when accountability is removed.
There's a small nod to privacy in the bill, but it carries with it some potential weasel words that could completely undermine the protection.
An entity sharing cyber threat indicators pursuant to this Act shall, prior to such sharing, remove any information contained within such indicators that is known to be personal information of or identifying a United States person, not directly related to a cybersecurity threat in order to ensure that such information is protected from unauthorized disclosure to any other entity or the Federal Government.
Considering what the NSA and others have deemed "relevant"
to their counterterrorism efforts, lots of personal data could easily be construed as being "directly related" to a potential cybersecurity threat.
Other protections are equally as malleable. Law enforcement agencies are allowed to avail themselves of cyberthreat information, but only if given written consent from the entity(ies) involved. But that "only" isn't actually a limitation. The paragraph immediately following the "written consent" stipulation creates the same sort of loophole that agencies like the FBI have abused
to the point of surreality in the past.
If the need for immediate use prevents obtaining written consent, such consent may be provided orally with subsequent documentation of the consent.
IN CASE OF EMERGENCY, BREAK PROTECTIONS.
Giving law enforcement or indeed any
agency this sort of manual override undercuts anything stipulated previously. This encourages a culture of asking forgiveness, rather than permission. Grab the data
and justify it post facto. That's no protection at all, especially when granted immunity gives companies absolutely no reason to push back on these oral requests.
This may only be the draft version, and there will be several changes made before it goes up for a vote, but this groundwork is far from heartening. It appears as though no one involved has learned anything from CISPA's two troubled trips through the House, not to mention the new concerns prompted by leaked NSA documents.
Further gestures in the direction of civil liberties and privacy protections are made later in the bill (under a heading "Privacy and Civil Liberties" no less), but those protections are roughly identical to existing policies governing the NSA's (and FBI's) mass collection of American metadata -- oversight
, both of which have been subverted by these agencies.
The bill also consolidates more power within the DHS, creating an "all roads lead to the DHS" method of managing cyberthreat information. If there's one entity which has proven time and time again to be both a) mostly useless
and b) prone to abusive behavior
, it's the DHS. And yet, the bill calls for the agency to be the central cyberthreat repository.
IN GENERAL.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security, in coordination with the heads of the appropriate Federal entities, shall develop and implement a capability and process within the Department of Homeland Security that—
(A) shall accept from any entity in real time cyber threat indicators and countermeasures in an electronic format, pursuant to this section;
(B) shall, upon submittal of the certification under paragraph (2) that such capability and process fully and effectively operates as described in such paragraph, be the process by which the Federal Government receives cyberthreat indicators and countermeasures in an electronic format that are shared by an entity with the Federal Government…
Unfortunately, as terrible as the DHS is at determining threats and sharing information, there's probably no way to route around it. The post-9/11 agency is now the government's national security clearinghouse, and everything flows to it, even if it's usually the agency least likely to make productive use of the information. While cyberthreats pile up, DHS agents will be chasing down people
taking pictures of public structures
Believe it or not, this bill putting DHS as the central authority is actually one half-step better than the likely alternative, which is making NSA the central player. For many years now, there's actually been something of a turf war
between DHS and NSA over who gets to control the (increasingly massive) cybersecurity budget. And a bill that designates DHS as the "winner" of that turf battle at least gives it a slight preference over the NSA -- though, unfortunately, this bill would let DHS share info with NSA freely, which is yet another problem.
CISPA may have seemed at least half-dead, but Feinstein and Chambliss are breathing life into its lumbering carcass. You would think the last several months, combined with CISPA's earlier struggles, would have resulted in a better cybersecurity bill. Instead, it actually seems worse
“This is definitely a step back,” said Gabe Rottman, legislative counsel and policy adviser for the American Civil Liberties Union, who was shown a copy of the draft. “The problem is the definitions of what can be shared and who it can be shared with are too broad. In this draft, companies can share data with the military and the NSA. Given the past revelations, I think it’s important to keep this information in civilian hands.”
And that's just one of several problems. Combine the bill's wording with the administration's tacit approval
of the NSA's exploit stockpile and you've got something that will generate millions of dollars worth of budget line items while doing very little to make anyone -- even the government itself -- any safer.