Cybersecurity Bill: Protecting Us From Attacks... Or Keeping Our Own Attacks Secret?
from the seems-quite-likely dept
We've been discussing the fight in the Senate over the latest version of the Cybersecurity Act. One of the things we mentioned is that, at 211-pages, it's quite likely there are a ton of little "easter egg" gems in there that the public doesn't want or need, but which we'll be stuck with -- and only discover way down the road. Paul Rosenzweig, over at the Lawfare Blog, may have turned up one of them, in trying to understand Section 706(d), which reads:(d) DELAY OF NOTIFICATION AUTHORIZED FOR LAW ENFORCEMENT, NATIONAL SECURITY, OR HOMELAND SECURITY PURPOSES.—No civil or criminal cause of action shall lie or be maintained in any Federal or Statecourt against any entity, and any such action shall be dismissed promptly, for a failure to disclose a cybersecurity threat indicator if—What's odd about this? Well, it suggests that it says that companies might not get in legal trouble if they don't disclose info. But, as we're constantly reminded, the whole point of the info sharing from companies in this bill is that it's voluntary. So there wouldn't be any cause of action generally when they choose not to share. But, as Rosenzweig thinks through it, there is another scenario where this could come into play: if a company wanted to share info but was stopped -- perhaps because that info implicated the US government itself:(1) the Attorney General or the Secretary determines that disclosure of a cybersecurity threat indicator would impede a civil or criminal investigation and submits a written request to delay notification for up to 30 days, except that the Attorney General or the Secretary may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary;
(2) the Secretary, the Attorney General, or the Director of National Intelligence determines that disclosure of a cybersecurity threat indicator would threaten national or homeland security and submits a written request to delay notification, except that the Secretary, the Attorney General, or the Director,may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request made under this paragraph if further delay is necessary.
I suppose there is another possibility as well – that they might want to stop temporarily the sharing of CTI when the threat being disclosed is one that has been created by .... Well, NSA. In fact, if you believe that, then the reason the government so much wants to be at the center of CTI sharing is not just to protect the public but also to protect its own methods.This actually makes a fair amount of sense. Remember, the only two serious cases of digital attacks that we know of -- Stuxnet and Flame -- both appear to have originated from US government officials, and both eventually got out when security firms discovered their existence, and tried to make sense of the malware. So, perhaps part of the "urgency" in trying to pass this bill is to help silence researchers who discover what other malware the US government has put out itself!
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: attacks, cybersecurity, information sharing, nsa, privacy, secrecy
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
This site needs a tin foil hat smiley. This is beyond silly.
[ link to this | view in chronology ]
Re:
Yeah! Because the US never released malware, and would never want to keep its cyber espionage secret.
Tinfoil indeed.
[ link to this | view in chronology ]
Re:
This isn't tinfoil hat territory at all.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
That's far more evidence than the anti big search crowd
who claim google is in control of both the deafeat of SOPA and is controlling MIke have.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Mike denies cyberwar over and over again, and now raises the thought of it when it suits him. How quaint!
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Weren't most of these security firms from other countries?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
The Patriot Act for the internet?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I would like to remind readers that not to long ago, the US military claimed that a cyber attack was the same as provocation for war. In essence the US has through the release of cyber attacks already declared war on Iran.
[ link to this | view in chronology ]