Cybersecurity Bill: Protecting Us From Attacks... Or Keeping Our Own Attacks Secret?

from the seems-quite-likely dept

We've been discussing the fight in the Senate over the latest version of the Cybersecurity Act. One of the things we mentioned is that, at 211-pages, it's quite likely there are a ton of little "easter egg" gems in there that the public doesn't want or need, but which we'll be stuck with -- and only discover way down the road. Paul Rosenzweig, over at the Lawfare Blog, may have turned up one of them, in trying to understand Section 706(d), which reads:
(d) DELAY OF NOTIFICATION AUTHORIZED FOR LAW ENFORCEMENT, NATIONAL SECURITY, OR HOMELAND  SECURITY PURPOSES.—No civil or criminal cause of action shall lie or be maintained in any Federal or Statecourt against any entity, and any such action shall be dismissed promptly, for a failure to disclose a cybersecurity threat indicator if—
(1) the Attorney General or the Secretary determines that disclosure of a cybersecurity threat indicator would impede a civil or criminal investigation and submits a written request to delay notification for up to 30 days, except that the Attorney General or the Secretary may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary;

(2) the Secretary, the Attorney General, or the Director of National Intelligence determines that disclosure of a cybersecurity threat indicator would threaten national or homeland security and submits a written request to delay notification, except that  the Secretary, the Attorney General, or the Director,may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary.
What's odd about this? Well, it suggests that it says that companies might not get in legal trouble if they don't disclose info. But, as we're constantly reminded, the whole point of the info sharing from companies in this bill is that it's voluntary. So there wouldn't be any cause of action generally when they choose not to share. But, as Rosenzweig thinks through it, there is another scenario where this could come into play: if a company wanted to share info but was stopped -- perhaps because that info implicated the US government itself:
I suppose there is another possibility as well – that they might want to stop temporarily the sharing of CTI when the threat being disclosed is one that has been created by .... Well, NSA. In fact, if you believe that, then the reason the government so much wants to be at the center of CTI sharing is not just to protect the public but also to protect its own methods.
This actually makes a fair amount of sense. Remember, the only two serious cases of digital attacks that we know of -- Stuxnet and Flame -- both appear to have originated from US government officials, and both eventually got out when security firms discovered their existence, and tried to make sense of the malware. So, perhaps part of the "urgency" in trying to pass this bill is to help silence researchers who discover what other malware the US government has put out itself!
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: attacks, cybersecurity, information sharing, nsa, privacy, secrecy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Dementia (profile), 31 Jul 2012 @ 8:18am

    And now they're even trying to turn the cybersecurity bill into a gun control bill through amendments.....

    link to this | view in chronology ]

    • identicon
      The Luke Witnesser, 31 Jul 2012 @ 8:38am

      Re:

      Gun control, miniature SOPA-esque provisions, now this. It's pretty clear at this point that the bill was first presented as a version that "addressed" privacy concerns just so they could smuggle the really evil shit in there through amendments. Frankly, I am disgusted with these politicians (as if I wasn't already). Vast majority of them are pretty much soulless scum and all about the power.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2012 @ 8:39am

    " So, perhaps part of the "urgency" in trying to pass this bill is to help silence researchers who discover what other malware the US government has put out itself!"

    This site needs a tin foil hat smiley. This is beyond silly.

    link to this | view in chronology ]

    • icon
      weneedhelp (profile), 31 Jul 2012 @ 8:49am

      Re:

      "This is beyond silly."
      Yeah! Because the US never released malware, and would never want to keep its cyber espionage secret.

      Tinfoil indeed.

      link to this | view in chronology ]

    • icon
      John Fenderson (profile), 31 Jul 2012 @ 8:51am

      Re:

      Why is it silly? We know for a solid fact that the US government creates and distributes malware for use against entities it considers targets. It seems logical that they would want to take steps to keep any specific action a secret.

      This isn't tinfoil hat territory at all.

      link to this | view in chronology ]

    • identicon
      Anonymous Coward, 31 Jul 2012 @ 8:55am

      Re:

      Consipracy theories are only tinfoil hat worthy when you don't have proof of one. And it just so happens the only "cyberwar" malware was put out by our own goverment.

      That's far more evidence than the anti big search crowd
      who claim google is in control of both the deafeat of SOPA and is controlling MIke have.

      link to this | view in chronology ]

    • identicon
      Another AC, 31 Jul 2012 @ 8:55am

      Re:

      1/10 for Insightful. Any counter arguments or points of debate? Or is that all we get?

      link to this | view in chronology ]

    • icon
      Ninja (profile), 31 Jul 2012 @ 9:34am

      Re:

      This AC needs a few slaps on the face to wake up from his dream world.

      link to this | view in chronology ]

      • identicon
        Anonymous Coward, 31 Jul 2012 @ 10:34am

        Re: Re:

        This from the guy who appears to be wallowing in the fool-aid.

        Mike denies cyberwar over and over again, and now raises the thought of it when it suits him. How quaint!

        link to this | view in chronology ]

        • icon
          Chuck Norris' Enemy (deceased) (profile), 31 Jul 2012 @ 10:57am

          Re: Re: Re:

          You half-wit! If the only "cyberwar" that exists comes from our own government then who is this war really against?

          link to this | view in chronology ]

        • icon
          John Fenderson (profile), 31 Jul 2012 @ 4:33pm

          Re: Re: Re:

          Where did Mike say "cyberwar"?

          link to this | view in chronology ]

          • identicon
            Anonymous Coward, 31 Jul 2012 @ 9:20pm

            Re: Re: Re: Re:

            As far as my browser's search function can devine, "cyber war"/"cyberwar" is only mentioned by random commenters and not Mike himself.

            link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2012 @ 8:41am

    it's definitely to keep secret the invasion of privacy being executed on our own people. any and all so-called security bills are meant to do the same thing with the addition of stopping the people from finding out what the government is really up to, so corrupt politicians and corporation execs can continue to line their own pockets at the expense of others.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2012 @ 9:31am

    Remember, the only two serious cases of digital attacks that we know of -- Stuxnet and Flame -- both appear to have originated from US government officials, and both eventually got out when security firms discovered their existence, and tried to make sense of the malware.


    Weren't most of these security firms from other countries?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2012 @ 9:34am

    So you just think this is a way to stop companies from revealing government info? Perhaps you are looking too closely into this. I Hope.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2012 @ 11:29am

    A few things for sure, whoever wrote this section knows exactly what they want and most people wouldn't agree with it. It's meant to be obscure and hard to define - until put in action. Then we will know what they meant.

    The Patriot Act for the internet?

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2012 @ 6:00pm

    The US government is lawless and rogue. They like to dot their "i"s and cross their "t"s legislatively, but let's not forget that if they are just as happy to ignore, twist and abuse the law if it happens to be inconvenient to follow it in good faith.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jul 2012 @ 8:45pm

    Any time they get a case they don't quite know what to do with it seems it always comes back to a national security issue.

    I would like to remind readers that not to long ago, the US military claimed that a cyber attack was the same as provocation for war. In essence the US has through the release of cyber attacks already declared war on Iran.

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.