CISPA Take 3: Feinstein & Chambliss Draft Another Cybersecurity Bill, Designed To Wipe Out Your Privacy
from the only-massive-amounts-of-government-can-keep-you-safe dept
Washington DC: where no bad idea ever truly dies. CISPA, the infamous "cybersecurity" bill that has twice failed to cross the President's desk is back again. This is the Senate's attempt at a cybersecurity bill, so it doesn't sport the same gaudy initials (those belong to the House), but it's still the same set of terrible ideas.
The Senate's previous attempts to write its own cybersecurity bill were supposedly prompted by privacy concerns, something the House version treated as wholly irrelevant to securing our nation from cyberattacks. This new bill may decide privacy is the only thing irrelevant to national security, seeing as it's been crafted by Dianne Feinstein and Saxby Chambliss, both largely supportive of the NSA's (recently exposed) activities.
The new bill sports the following title: Cybersecurity Information Sharing Act of 2014. CISPA without the "p," apparently. Out with the "protection" (which was nominal) and in with the oversharing of cyberthreat information.
The bill, like others before it, grants broad immunity to participating companies, stripping away one of the few reasons these entities might stick up for their customers (and their data) and consider plugging the security hole before turning that info over to both the military, national security agencies and, well, any number of government agencies or competitors. The text of the bill leaves that almost completely unspecified.
The new, 39-page draft bill, written by Sen. Dianne Feinstein (D-Calif.), chairman of the intelligence committee, and Sen. Saxby Chambliss (Ga.), the ranking Republican, states that no lawsuit may be brought against a company for sharing threat data with “any other entity or the federal government” to prevent, investigate or mitigate a cyberattack.This immunity screws up incentives and encourages questionable behavior, as it to be expected when accountability is removed.
There's a small nod to privacy in the bill, but it carries with it some potential weasel words that could completely undermine the protection.
An entity sharing cyber threat indicators pursuant to this Act shall, prior to such sharing, remove any information contained within such indicators that is known to be personal information of or identifying a United States person, not directly related to a cybersecurity threat in order to ensure that such information is protected from unauthorized disclosure to any other entity or the Federal Government.Considering what the NSA and others have deemed "relevant" to their counterterrorism efforts, lots of personal data could easily be construed as being "directly related" to a potential cybersecurity threat.
Other protections are equally as malleable. Law enforcement agencies are allowed to avail themselves of cyberthreat information, but only if given written consent from the entity(ies) involved. But that "only" isn't actually a limitation. The paragraph immediately following the "written consent" stipulation creates the same sort of loophole that agencies like the FBI have abused to the point of surreality in the past.
If the need for immediate use prevents obtaining written consent, such consent may be provided orally with subsequent documentation of the consent.IN CASE OF EMERGENCY, BREAK PROTECTIONS.
Giving law enforcement or indeed any agency this sort of manual override undercuts anything stipulated previously. This encourages a culture of asking forgiveness, rather than permission. Grab the data and justify it post facto. That's no protection at all, especially when granted immunity gives companies absolutely no reason to push back on these oral requests.
This may only be the draft version, and there will be several changes made before it goes up for a vote, but this groundwork is far from heartening. It appears as though no one involved has learned anything from CISPA's two troubled trips through the House, not to mention the new concerns prompted by leaked NSA documents.
Further gestures in the direction of civil liberties and privacy protections are made later in the bill (under a heading "Privacy and Civil Liberties" no less), but those protections are roughly identical to existing policies governing the NSA's (and FBI's) mass collection of American metadata -- oversight and minimization, both of which have been subverted by these agencies.
The bill also consolidates more power within the DHS, creating an "all roads lead to the DHS" method of managing cyberthreat information. If there's one entity which has proven time and time again to be both a) mostly useless and b) prone to abusive behavior, it's the DHS. And yet, the bill calls for the agency to be the central cyberthreat repository.
IN GENERAL.—Not later than 90 days after the date of the enactment of this Act, the Secretary of Homeland Security, in coordination with the heads of the appropriate Federal entities, shall develop and implement a capability and process within the Department of Homeland Security that—Unfortunately, as terrible as the DHS is at determining threats and sharing information, there's probably no way to route around it. The post-9/11 agency is now the government's national security clearinghouse, and everything flows to it, even if it's usually the agency least likely to make productive use of the information. While cyberthreats pile up, DHS agents will be chasing down people taking pictures of public structures.
(A) shall accept from any entity in real time cyber threat indicators and countermeasures in an electronic format, pursuant to this section;
(B) shall, upon submittal of the certification under paragraph (2) that such capability and process fully and effectively operates as described in such paragraph, be the process by which the Federal Government receives cyberthreat indicators and countermeasures in an electronic format that are shared by an entity with the Federal Government…
Believe it or not, this bill putting DHS as the central authority is actually one half-step better than the likely alternative, which is making NSA the central player. For many years now, there's actually been something of a turf war between DHS and NSA over who gets to control the (increasingly massive) cybersecurity budget. And a bill that designates DHS as the "winner" of that turf battle at least gives it a slight preference over the NSA -- though, unfortunately, this bill would let DHS share info with NSA freely, which is yet another problem.
CISPA may have seemed at least half-dead, but Feinstein and Chambliss are breathing life into its lumbering carcass. You would think the last several months, combined with CISPA's earlier struggles, would have resulted in a better cybersecurity bill. Instead, it actually seems worse.
“This is definitely a step back,” said Gabe Rottman, legislative counsel and policy adviser for the American Civil Liberties Union, who was shown a copy of the draft. “The problem is the definitions of what can be shared and who it can be shared with are too broad. In this draft, companies can share data with the military and the NSA. Given the past revelations, I think it’s important to keep this information in civilian hands.”And that's just one of several problems. Combine the bill's wording with the administration's tacit approval of the NSA's exploit stockpile and you've got something that will generate millions of dollars worth of budget line items while doing very little to make anyone -- even the government itself -- any safer.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cisa, cispa, cybersecurity, dhs, dianne feinstein, homeland security, immunity, information sharing, nsa, privacy, saxby chambliss
Reader Comments
Subscribe: RSS
View by: Time | Thread
Here's hoping for the usual short-sightedness
Mind, the fact that one of their more strident 'defenders' is involved in writing the bill doesn't bode well for that, but hopefully the NSA's ego will manage to re-assert itself and they'll be back to attacking any perceived 'threats' to their power and authority.
[ link to this | view in thread ]
[ link to this | view in thread ]
Not much I can do...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Not much I can do...
I imagine the response would be the standard 'Everything is fine citizen, this is all for your protection, so sit back down and be silent' crap that usually gets sent out in response to any and all criticism on stuff like this, but even so, pointing out that she's fooling no-one is worth saying.
[ link to this | view in thread ]
Targeted Marshal Law
What I don't understand is that when more than half the population is in prison, with another third of the population guarding them, and another third producing what is needed to drive the first two, who's gonna be left to watch their stupid movies?
[ link to this | view in thread ]
Re: Actually the bill is called...
Orwellian
Data &
Information
Obretion
Universal
Statist
bill...
And even with that name it might pass, At least I hope it does.
[ link to this | view in thread ]
Like being in state of war for decades now? Indeed, emergencies are overrated.
[ link to this | view in thread ]
Why don't the people who write these bills just come out and say what they're really thinking. Which is, "Screw the US Constitution!"
The worst part is, all the dangerous hackers launching cyber attacks, are smart enough to cover their tracks by purchasing a Virtual Private Server on Amazon Cloud, using a stolen credit card. Plus bouncing their connection through 5 VPN networks located in 5 different countries, plus through TOR.
Meanwhile, average Joe citizen is having all their personal information handed over to DHS, FBI, NSA, CIA, and God knows who else. All the while the real 'cyber criminals' are laughing their asses off and sipping martinis on a tropical beach somewhere after hitting Target up for millions of dollars.
But don't let that stop you from passing a bill that scarifies everyone's civil rights in return for no security what so ever. Go ahead and do what you do best, Sen. Spystein. Go ahead and grand that retroactive immunity blanket you're so fond of.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Between this and the erosion of Net Neutrality, it's safe to say we're the next Soviet Union. This is why the likes of Brazil and the Eurozone will be the new paragons of freedom and economic success while the USA will go down in history as yet another repressive regime that eventually collapsed under its own weight.
[ link to this | view in thread ]
[ link to this | view in thread ]
Please people, if any of these statist cronies serve your area and are up for reelection, dont vote them back in, they've proven that they will sell you out to the dogs. Even if you have to bite the bullet and vote the opposite party, the worse that they can do is merely maintain the status quo.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Not much I can do...
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
But no, there's too much comedy/shenanigans involved.
[ link to this | view in thread ]
Re: Not much I can do...
[ link to this | view in thread ]
Welcome to the land of the Oligarchs !
Bow low to the master.
[ link to this | view in thread ]
Re: Re:
Canada isn't there yet, if numbers are right, Emperor Harper will be kicked out next year.
I'm gonna have such a boner. No for real. Even if they end up with a thinly in power minority government. I really love the fact he's being bitchslapped by Obama over the Keystone XL pipeline. Liberals + NDP should form a coalition to prevent them a minority government, but these 2 are hard to re conciliate because the Liberals view the extremely high (and first time official opposition) voting in their favour instead of them in 2011 cos it left a bitter taste in the Libs mouth. But petty politics will lose when it comes against a "majority" government that got barely 38% of the votes.
We live under crypto-fascism when tories are in power because they do not hide they represent a foreign power more than their own country (England) while Liberals have brought in the constitution 30 years ago and ignore the british royal family and that is why Canada always accumulates surplus under Liberals.
[ link to this | view in thread ]
Wrong. The lesson they learned is the same lesson they've gotten for years: that they can do whatever the hell they want, whenever they want.
Oh, sure they meet some resistance from time to time, like with SOPA/PIPA, but what REAL consequences did any of them face? They've all still got their jobs, and until that starts happening in signficant numbers, they aren't going to give a shit about the people (and I can't say I blame them - if I stood on a balcony and spat on people all day, and people complained but never had me removed from the balcony, why would I stop spitting on them?)
[ link to this | view in thread ]
It's moments like this...
[ link to this | view in thread ]
Re: Re: Not much I can do...
[ link to this | view in thread ]
Re:
I also agree with John Fenderson that some of it is not only here already, but has been for years now.
[ link to this | view in thread ]
Cash Cows not Sheep
Hey, no probs!
After all, you, the taxpayer, are good for it.
Besides, safer aint the plan.
Weaker, stupider, busier, drunker, sicker and suggestible, now that's the plan, cuz then the taxpayer aint just good for it, he won't even mind being buggered, if he even ever realizes he's footing the bill for his own destruction.
And with China considering foreclosing on their loan to finance the US war effort abroad, you'd damn well better be good for it cuz the fed is up to its ass in debts and is NOT considering spending less any tine soon.
[ link to this | view in thread ]
Re:
No consequences means no reason to change and in fact offers a very clear rationale for expansion and escalation.
[ link to this | view in thread ]
Re:
So they got George Bush to suspend it right after 9/11 when he secretly declared war on anyone who gets in the way of their progress.
Now the Corporate Government; otherwise known as a Fascist Business Venture, only allows the constitution to be used in cases where it has no effect on Federal Operations.
In other words, the Constitution no longer applies unless the Fed wants it to apply, because its been secretly suspended for the duration of the secret war effort.
You wouldn't know this of course, because you are after all, the enemy. :)
[ link to this | view in thread ]
Re: Cash Cows not Sheep
You've got that right.
[ link to this | view in thread ]
Re: Re: Cash Cows not Sheep
Poorer citizens need to keep their shitty jobs, so they will just tow the line and shut the fuck up like good little wage slaves.
Poorer population means more minions for hire to do the dirty deeds of the rich and powerful.
Poorer people have no voice and will waste their energy in prayer, especially if they fear and hate each other.
Poorer people cannot counteract the diseases that will be introduced to make them sicker and will beg for free vaccinations laced with with even nastier diseases and heavy metals.
Yep, really can't forget Poorer.
Its probably the most important part of the plan.
[ link to this | view in thread ]
Re: Not much I can do...
[ link to this | view in thread ]