from the bad-definitions-make-bad-law dept
Arbitrarily Harms Average Internet Users: The definition of “cybersecurity threat” is overbroad, and includes “any action” that may result in an unauthorized effort to adversely impact the security, confidentiality and availability of an information system or of information stored on such system. Countermeasures can be employed against such threats absent risk of liability. This could lead to use of countermeasures in response to mere terms of service violations. For example, logging into another individual’s social networking account – even with their permission – typically violates the website’s terms of service, and therefore qualifies as unauthorized access under the CFAA, and could be treated as a “cybersecurity threat.” A provision preventing this harm appeared in the July 2012 Cybersecurity Act and should be included in CISA.In other words, under the current broad definition of "cybersecurity threat," an ISP (e.g., Comcast) could argue that another service provider (e.g., Netflix) was "adversely impacting the availability" of information on its network, and thus it was going to take "any action" (e.g., throttling it down to nothing) to deal with the "threat." And, under the proposed legislation, there would be nothing anyone could do about it, as Comcast would be absolved from liability, as long as it could claim that all of that Netflix traffic was the equivalent to a cybersecurity threat according to its own definition.
Infringing on Net Neutrality Policy: Likewise, the July 2012 bill also contained provisions clarifying that nothing in the Act, including overbroad application of the terms “cybersecurity threat” and “countermeasure,” could be construed to modify or alter any Open Internet rules adopted by the Federal Communications Commission. Net neutrality is a complex topic and policy on this matter should not be set by cybersecurity legislation.
The fact that there was language in previous bills that prevented this kind of thing, but is absent from this latest bill seems quite troubling. One hopes it was just an oversight in getting the bill out -- and that seems most likely. But, given how often we've seen nefarious language sneak into certain bills, it's not out of the question that others are recognizing the opportunities to backdoor in a way to get around any possible net neutrality proposal.