Simple Question: What Cyberattack Would The New Cybersecurity Bill Have Stopped?

from the until-you-can-answer-that... dept

Fri, Mar 20th 2015 9:23am — Mike Masnick

Last week, the Senate Intelligence Committee voted (in secret, of course) to approve a new cybersecurity bill, dubbed CISA (as it was in the last Congress), though it kept the content of the actual bill secret until this week. The only Senator who voted against it was... Senator Wyden, of course, who rightly pointed out that this bill is "not a cybersecurity bill – it’s a surveillance bill by another name."

The good folks over at the EFF have a rundown on why the bill is terrible:

Aside from its redundancy, the Senate Intelligence bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures (now called "defensive measures" in the bill) for a "cybersecurity purpose" against a "cybersecurity threat." "Cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system.

Even with the changed language, it's still unclear what restrictions exist on "defensive measures." Since the definition of "information system" is inclusive of files and software, can a company that has a file stolen from them launch "defensive measures" against the thief's computer? What's worse, the bill may allow such actions as long as they don't cause "substantial" harm. The bill leaves the term "substantial" undefined. If true, the ~~countermeasures~~ "defensive measures" clause could increasingly encourage computer exfiltration attacks on the Internet—a prospect that may appeal to some "active defense" (aka offensive) cybersecurity companies, but does not favor the everyday user.

Second, the bill adds a new authority for companies to monitor information systems to protect an entity's hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.

Also, the bill goes away from previous cybersecurity bills that put Homeland Security in charge (which, by itself, isn't great, but DHS is the best option if you're debating between DHS, the NSA and the FBI). While the information still goes to DHS under this bill, DHS doesn't then get to parse through it and figure out where it goes. Instead, the info needs to be shared "in real time" with the NSA. All of which just gives weight to the fact that this is a surveillance bill, not a bill to protect against "cybersecurity attacks."

But if you want to know the single biggest reason why this bill is bogus: ask those supporting it what cybersecurity attack this bill would have stopped. And you'll notice they don't have an answer. That's because it's not a cybersecurity bill at all. It's just a bill to try to give the government more access to your user info.

Cisa 2015 as Filed (PDF)Cisa 2015 as Filed (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cisa, cybersecurity, dhs, information sharing, nsa, ron wyden, senate intelligence committee, surveillance

23 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 20 Mar 2015 @ 9:44am

You can't let spy agencies in charge of your security. I don't care that they have 90 percent of world's "cyber" expertize (which they don't) - they are just completely INCOMPATIBLE with the security mission.

NSA's mission = hacking and surveillance

Cybersecurity = encryption and UNBREAKABLE security design

See how the two are INCOMPATIBLE?

A civil and transparent agency should be in charge cybersecurity. And by transparent, I don't mean Obama's type of Transparency™
[ link to this | view in chronology ]
Anonymous Coward, 20 Mar 2015 @ 9:55am

A flippant answer would be "none" since the bill is just that, a bill that has not been enacted into law. Moreover, even if enacted the bill itself will not stop attacks, because that can only be done by people using technological and physical measures effective to thwart such untoward activities by persons intent upon breaching computer systems. What the bill is apparently intended to do, at least in part, it to provide potential victims with what I would term a "digital right of self-defense" that does not run afoul of current law.

I understand the criticisms leveled by people over at the EFF, but what they say about generalities is true of every piece of legislation passed by every federal and state legislative body since laws were first committed to writing. To be accurate, the only "perfect" bill is one that is never enacted...but in a society as ours that is based upon the rule of law that is not possible, so flexibility in language must be provided and tolerated.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Mar 2015 @ 10:11am
  
  Re:
  That doesn't change the fact it's still a bad bill. See language is important and according to the bill the language used is so broad that much like the CFAA it can be so easily abused.
  
  And again, this is being pushed as a cyberSECURITY bill which by definition (ie most sensible people) means protecting and encrypting systems so they can't be hacked into. What this bill does is the exact opposite, all it does is allow companies to "hack back" (something they ALREADY can do) and allow MORE of your personal information to be data-minded by the NSA.
  
  You notice the contradiction? That' because it's not a cybersecurity bill but a surveillance bill wearing the trappings of cybersecurity.
  
  We can have good security without sacrificing privacy but this bill is not the way to go and solves nothing.
  [ link to this | view in chronology ]
Ninja (profile), 20 Mar 2015 @ 10:02am

Does that mean companies can launch "defensive measures" against the NSA and other Govt agencies that are deliberately trying to weaken security online by undermining encryption systems and others?

Oh wait, this bill isn't about cybersecurity after all.
[ link to this | view in chronology ]
- Just Another Anonymous Troll, 23 Mar 2015 @ 9:33am
  
  Re:
  Hmmmmm, since "defensive measures", "cybersecurity threat", and "cybersecurity purposes" are so vaguely defined, a good lawyer could effectively make this open season on the NSA (cybersecurity threat) for any yahoo who can form a company and hack/DDoS them (defensive measures) in an attempt to disrupt their spying operations (cybersecurity purpose). I have a feeling it will get repealed soon after their spying apparatus gets hammered by Anonymous, Inc. completely legally.
  [ link to this | view in chronology ]
Anonymous Coward, 20 Mar 2015 @ 10:05am

Feds to states: Go ahead and ignore state law
(4) USE OF CYBER THREAT INDICATORS BY STATE, TRIBAL, OR LOCAL GOVERNMENT.—
. . . .
(B) EXEMPTION FROM DISCLOSURE.—
A cyber threat indicator shared with a State, tribal, or local government under this section shall
be—
. . . .
(ii) exempt from disclosure under any State, tribal, or local law requiring disclosure of information or records.

What the fuck gives the federal government the authority to relieve any agency of the State of Washington from that state agencies' obligation to fully obey Washington law?

What the fucking fuck-fuck?

Where does it say that in the federal Constitution? It doesn't.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Mar 2015 @ 10:38am
  
  Re: Feds to states: Go ahead and ignore state law
  Amendment X
  
  The powers not delegated to the United States by the Constitution, nor prohibited by it to the states, are reserved to the states respectively, or to the people.
  
  (See commentary: “... Congress may not ‘commandeer’ state regulatory processes by ordering states to enact or administer a federal regulatory program...”).
  [ link to this | view in chronology ]
- Anonymous Coward, 20 Mar 2015 @ 11:05am
  
  Re: Feds to states: Go ahead and ignore state law
  YO! CALIFORNIA! HEY YOU! OVER THERE!
  
  What does California have to say about this? Access to public records is written into the California Constitution. Do the feds have some sort of free-floating, untethered authority to tell your state's agencies to ignore your state's constitution?
  
  What does California have to say about this?
  [ link to this | view in chronology ]
  - GEMont (profile), 23 Mar 2015 @ 11:56am
    
    Re: Re: Feds to states: Go ahead and ignore state law
    "Do the feds have some sort of free-floating, untethered authority..."
    
    Does the recently, secretly rewritten (due to 9/11) Constitution of the United States count?
    
    ---
    [ link to this | view in chronology ]
- Anonymous Coward, 20 Mar 2015 @ 12:20pm
  
  Re: Feds to states: Go ahead and ignore state law
  they don't give a dam about the constitution any more than Stalin cared about the sanctity of all life.
  [ link to this | view in chronology ]
- GEMont (profile), 23 Mar 2015 @ 12:04pm
  
  Re: Feds to states: Go ahead and ignore state law
  We are sorry, but as an American citizen, recently reclassified as "The Adversary", you are not allowed to read the section of the New Corporate Constitution of the United States of America that pertains to the Federal Authority to relieve any agency of the State of Washington from that state agencies' obligation to fully obey Washington law, or for that matter, any other state in the union?
  
  However, be assured that we do now have the right to do exactly that, and many other things that the old outdated pre-9/11 Constitution did not allow.
  
  You can trust us when we say that this is entirely for your benefit.
  
  USG
  
  ---
  [ link to this | view in chronology ]
Anonymous Coward, 20 Mar 2015 @ 10:06am

The NSA already has "direct access" to Google...
According to Snowden. -- So how much more can there be? Even the block quote mentions redundancy. -- Don't worry about the RE-dundance when you're not calling for the dundance to be RE-moved. -- Be a leader, Masnick, and suggest some action to roll back the present criminality, not just write up another lame report of more loss.
[ link to this | view in chronology ]
- Pragmatic, 23 Mar 2015 @ 8:11am
  
  Re: The NSA already has "direct access" to Google...
  Mike's job is to report malfeasance, not to correct it. Want leadership? Look in the mirror. There's your boss. Now think for yourself.
  [ link to this | view in chronology ]
Anonymous Coward, 20 Mar 2015 @ 10:14am

C'mon, use the right terms!
> ... to launch countermeasures (now called "defensive measures" in the bill) for a "cybersecurity purpose" against a "cybersecurity threat."

Everyone knows this is called "ICE". Data walls, Code Gates, Traces, Sentries, though it'll be a while before we get the mind-computer interfaces that would make Black Ice a reality.

Ah, the smell of a Cortical Scrub in the morning...
[ link to this | view in chronology ]
- Anonymous Coward, 20 Mar 2015 @ 10:33am
  
  Re: C'mon, use the right terms!
  "Ah, the smell of a Cortical Scrub in the morning..."
  
  You only THINK you smell it... :-)
  [ link to this | view in chronology ]
That One Guy (profile), 20 Mar 2015 @ 10:41am

Someone's cheering, and it's not just the spies
Allowing companies to 'fight back' is a recipe for disaster and massive collateral damage, given most major hacks or DDOS attacks are likely to be carried out by compromised computers and networks, with the owners of those computers/networks completely innocent of anything more heinous than clicking on the wrong link or visiting the wrong site.

Feel like double-trolling someone you don't like? Use their computer/network in an attack, and then watch as the 'counter-attack' results in it being even more broken than before.
[ link to this | view in chronology ]
- Anonymous Coward, 20 Mar 2015 @ 11:01am
  
  Re: Someone's cheering, and it's not just the spies
  Think everybody pirates your files.....
  [ link to this | view in chronology ]
- orbitalinsertion (profile), 20 Mar 2015 @ 12:00pm
  
  Re: Someone's cheering, and it's not just the spies
  Well, sure, and since players are more likely to spend money on such a thing rather than actually securing anything in the first place, I'm sure it would make for interesting times when everyone can cyberstand their cyberground.
  [ link to this | view in chronology ]
- GEMont (profile), 23 Mar 2015 @ 11:51am
  
  Re: Someone's cheering, and it's not just the spies
  Allowing corporate entities to attack computers they think might cause them grief, or blanket assault a network because of a DDOS attack on their systems, will inevitably lead directly to publically produced reflection and retaliation technology.
  
  This is of course the whole plan.
  
  Once the public starts to react to having their computers wiped by Pissco or Microsloth because someone, somewhere - most likely CIAF BINSA - linked their box as a zombie in an electronic attack on that company, the Surveillance Corporation, currently known as the CIAF BINSA, can "prove" the need for Cyber-security counter-measures and get better tax-payer funding for their next generation of assault wares and better "public" support for the whole concept of Retaliatory Cyber Security.
  
  It will also "prove" to the tax-paying public, the need for "Retaliatory Cyber-Security" attack wares used by corporations.
  
  If you want to make legislation that will be obviously unpopular because it pries into public privacy or decreases public communications security, you must first create a crime-laden environment that can be used to show why the legislation is necessary.
  
  This is how all of the "War On ******" scams are created. \
  
  Its a tried and true business model.
  
  ---
  [ link to this | view in chronology ]
Derek Kerton (profile), 20 Mar 2015 @ 11:23am

Still Fighting The Last War
So...with our gov't, we are constantly fighting the last war, with things like taking our shoes off because the last bomber wired his shoes.

Of course, it's lame to merely be reactive, and to plan and prepare for the attacks that happened in the past. It is smarter, and thus I suggest that we instead prepare for the attacks that might happen in the future.

So now, our gov't has leapfrogged my suggestion. Instead of fighting the last war, or the next one, we are putting up "defenses" for problems that never happened, and never will.
[ link to this | view in chronology ]
- Michael, 20 Mar 2015 @ 11:50am
  
  Re: Still Fighting The Last War
  The best defense is being offensive.
  [ link to this | view in chronology ]
  - Anonymous Coward, 20 Mar 2015 @ 4:16pm
    
    Re: Re: Still Fighting The Last War
    And the best offense is being defensive.
    
    Though somehow I doubt the US willing to learn this particular piece of advice.
    [ link to this | view in chronology ]
Anonymous Coward, 20 Mar 2015 @ 2:23pm

The answer is simple
However many false flags it takes to fool the public.
[ link to this | view in chronology ]