Why CISPA Could Actually Lead To More Hacking Attacks

from the unintended-consequences dept

Wed, Mar 13th 2013 2:01pm — Mike Masnick

One thing we've talked about for years is that lawmakers are notoriously bad at thinking through the unintended consequences of legislation they put forth. They seem to think that whatever they set the law to be will work perfectly, and that there won't be any other consequences. This is one reason why we're so wary of simple "fixes" even when the idea or purpose sound good up front. "Protecting artists" sounds good... unless it destroys the kinds of services artists need. Cybersecurity sounds good, unless it actually makes it easier to violate your privacy. And, now, people are realizing that not only may cybersecurity rules like CISPA be awful for privacy, but they could potentially lead to more "cyber" attacks, as companies look to "hack back" against those who attack them. As Politico describes:

The idea is known as "active defense" to some, "strike-back" capability to others and "counter measures" to still more experts in the burgeoning cybersecurity field. Whatever the name, the idea is this: Don't just erect walls to prevent cyberattacks, make it more difficult for hackers to climb into your systems — and pursue aggressively those who do.

So, how would cybersecurity rules create more hacking? Well, possibly by encouraging this kind of behavior by providing some amount of cover for it. The Cybersecurity bill in the Senate last year included an undefined allowance for "counter measures." CISPA doesn't explicitly mention that, but some in the security field are interpreting the bill to provide some amount of cover for such "counter measures" in which they could "perform hacks against threats." But, if you're trying to discourage online attacks, that seems like a problem. The likelihood of someone attacking the wrong target is quite high, and it could create quite a mess.

Thankfully, the folks behind CISPA suggest that they're willing to change the bill to make it more explicit that such countermeasures are not allowed, but until that's in place, it's a serious concern:

Some of those fears have reached Rep. Mike Rogers (R-Mich.), chairman of the chamber's Intelligence Committee and one of CISPA's lead authors. In fact, panel aides told POLITICO they're open to revising the relevant definitions in the bill. And Rogers himself this year has railed on the idea of an aggressive active defense, describing it as a "disaster for us" at a time when the country's digital defenses remain subpar.

Even if they fix this particular hole, it's these kinds of things that should worry all of us about broad laws that provide things like blanket immunity over ill-defined concepts like "cybersecurity" and "cyberattacks." The likelihood of it being abused is quite high, especially in an ever changing technology world. Just look at computer laws like the CFAA and ECPA, which cover various computer crimes and privacy today. Both are ridiculously outdated, with concepts that are laughable by any rational view today. And thus, there are massive unintended consequences associated with both laws. Before we rush into creating new laws with big broad vague terms, perhaps we should focus on fixing the old laws and proceeding with caution on any new ones.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: active defense, cispa, counter measures, cybersecurity, hacking, privacy, strike back, unintended consequences

15 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Corwin (profile), 13 Mar 2013 @ 2:08pm

"I just wrote
We now live in a world where the only citizens are companies (with more rights the richer they get) and humans are commodities, where no one truly owns anything, and everyone is a criminal under some law or other.

If that law passes, companies will be allowed to do what Aaron Swartz killed himself for being accused of doing.

REVOLUTION NOW.
[ link to this | view in chronology ]
This comment has been flagged by the community. Click here to show it

out_of_the_blue, 13 Mar 2013 @ 2:18pm

This comment has been flagged by the community.
So be sure to read it. Heh, heh. A tactic that should enchance my notice while undermining the rampant mis-use of your precious "report" buttons.

"it's these kinds of things that should worry all of us"

Anyhoo, EVER noticed, Mike, that you too gin up worries that are yet to appear? Seems the whole country thrives on fake fears. It's about the only growing industry in the US. And similarly, you never have any solutions to propose, nor any real condemnation to deliver, just wring your hands. -- Oh, my! The sky is about to fall! Perhaps we should focus on fixing the old airs and proceeding with caution on any new gases!
[ link to this | view in chronology ]
- Anonymous Coward, 13 Mar 2013 @ 5:44pm
  
  Re: This comment has been flagged by the community.
  Mike often does offer solutions to the problem he discuses and in the case it should go without saying that the solution is for the government to stop making privacy murderous laws for not-existent cyberwars.
  [ link to this | view in chronology ]
- Anonymous Coward, 13 Mar 2013 @ 11:52pm
  
  Re: This comment has been flagged by the community.
  Worries that are yet to appear? Funny, that's exactly what happened with the Boston Strangler VCR, and we don't see you criticising that.
  [ link to this | view in chronology ]
Anonymous Coward, 13 Mar 2013 @ 2:53pm

If they leave in the hole, the MAFIAA will use it to its maximum extent and beyond. They will think that it makes the Likes of the Sony root kit legal, and with worse results.
[ link to this | view in chronology ]
ahow628 (profile), 13 Mar 2013 @ 3:10pm

Old hat
So let me get this straight: More hacking = less cybercrime? Where have I heard this before? Oh yeah, more guns = less violence. Suffice it to say, I don't believe either.
[ link to this | view in chronology ]
- Anonymous Coward, 13 Mar 2013 @ 4:16pm
  
  Re: Old hat
  I the equivalent to "more hacking = less cybercrime" is actually "more shooting = less violence."
  
  The idea of the second amendment is to prevent the government from weakening the people enough that they can't be overthrown. It wasn't intended to save the lives of the general public during peace time, and it's effectiveness at that can be debated. Of course it's original intent is a little less effective now that the government has tanks and machine guns, which probably shouldn't be in the hands of the general public.
  [ link to this | view in chronology ]
  - Anonymous Coward, 13 Mar 2013 @ 4:44pm
    
    Re: Re: Old hat
    Wow, you actually understand the purpose of the second amendment. I thought I was alone.
    [ link to this | view in chronology ]
- Corwin (profile), 13 Mar 2013 @ 4:17pm
  
  Re: Old hat
  No, no, you don't get it. If a human uses some service in ways not explicitly allowed by that service's terms, then it's illegal hacking. If it's a company doing it, it's active countermeasures.
  
  See the difference?
  [ link to this | view in chronology ]
Anonymous Coward, 13 Mar 2013 @ 6:07pm

The existing amount of hacking attacks justifies bills to fix it. These bills create more hacking attacks which justify more bills creating more hacking attacks justifying more bills. Eventually a bunch of federal agencies are created to deal with the problem, these federal agencies hire people which create jobs and that's always a good thing.
[ link to this | view in chronology ]
- Anonymous Coward, 13 Mar 2013 @ 6:22pm
  
  Re:
  Oh, and lets not forget. More bills = more government contracts = more jobs which is good. It's like with the TSA. They aren't really doing much for national security but at least the agency creates a fair deal of job security.
  [ link to this | view in chronology ]
- Anonymous Coward, 14 Mar 2013 @ 2:48am
  
  Re:
  these federal agencies hire people which create jobs and that's always a good thing.
  
  Really, you think increasing the non-productive jobs in society is a good thing. Where will the money come from to pay these people, and remember their taxes are just a discount on the wages paid and not income for the government.
  [ link to this | view in chronology ]
  - Anonymous Coward, 14 Mar 2013 @ 8:14am
    
    Re: Re:
    You don't get sarcasm much do you
    [ link to this | view in chronology ]
Ninja (profile), 14 Mar 2013 @ 4:18am

By the increasing alarmist tone of the administration this'll be approved. Now I wonder if we'll see some Govt-sponsored-cyber-9/11 to justify the new Patriot Act (CISPA).
[ link to this | view in chronology ]
Rick Smith (profile), 14 Mar 2013 @ 8:42am

Time to learn how to wage cyberwar
Well, I guess I better start to learn to initiate effective counter measures myself.

If one thing that has been proven in the last decade is that the 'corporate' world is really-really, good at getting it wrong. So when the eventuality happens and a website mis-identifies a legitimate user as an attacker, this loophole should be usable by user as well. What we will have is the equivalent of mutually assured destruction on the internet (since everyone will be afraid to use a site for anything more than your basics) but if laws like this get passed into existence the best way to combat them is to use them against those that thought them a good idea.
[ link to this | view in chronology ]