HR 624 (113th), better known as CISPA (Cyber Intelligence Sharing and Protection Act) is a bill under consideration by the U.S. House Intelligence Committee, and a revival of HR 3523 (112th) -- the 2012 CISPA bill that passed in the House, but not the Senate.
Both bills (practically identical) grant "certified entities" (businesses and organizations approved by the fed) and federal government agencies the ability to obtain and share information considered vital to the defense of digital networks within the confines of the United States, including what we call the internet.
HR 624 refers to the information to be shared as cyber threat information and cyber threat intelligence. I was not sure how information differed from intelligence, so I asked Paul Rosenzweig, founder of Red Branch Consulting. Why Paul? His list of credentials is long and distinguished, and of particular interest was his serving as Deputy Assistant Secretary for Policy in the Department of Homeland Security.
Paul explained that intelligence differs from information in that intelligence includes the element of time. A good example of information might be a network-routing diagram showing paths along which a cyber-attack may occur. Knowing in advance when the attack is to take place would be intelligence.
I'm glad Paul cleared that up. Paul will be back later to help me wade through the controversial parts of CISPA.
What is to be shared?
The following categories are listed in CISPA as guides for what information or intelligence should be reported to the National Cybersecurity and Communications Integration Center of the Department of Homeland Security, and shared with other certified entities:
- A vulnerability of a system or network of a government or private entity.
- A threat to the integrity; confidentiality; or availability of a system or network of a government or private entity; or any information stored on, processed on, or transiting such a system or network.
- Efforts to deny access to or degrade, disrupt, or destroy a system or network of government or private entity.
- Efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity.
It would be difficult to argue the above bullets are not threats. And, privacy experts aren't trying to. What rubs privacy advocates and organizations entirely the wrong way is in how reportable threat information is obtained; CISPA grants certified entities the ability to scan and read every digital bit that passes through their networks, including your personal information, and mine. Some say, so what, they do already; that may be so, but with CISPA in place -- there is no longer a question of whether doing so is legal or not.
If I understood Paul correctly, the following example would be reported under CISPA. Your home computer has been compromised, and is part of a botnet attacking a Department of Defense website. Your ISP being a certified entity is scanning traffic from your computer, and notices bot-like activity. Your ISP will then report the matter to other certified entities and federal agencies.
What happens next is unclear. The closest reference I found was on page eight of HR 624. Under the Exemption from Liability paragraph, it states (refer to the second bullet):
No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith:
- For using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section.
- For decisions made based on cyber threat information identified, obtained, or shared under this section.
It's "For decisions made" that caught the attention of the Electronic Freedom Foundation. Here's what their FAQ website on CISPA mentioned:
CISPA provides companies with immunity "for decisions made based on cyber threat information" as long as they are acting in good faith. But CISPA doesn't define "decisions made." Aggressive companies could interpret this immunity to cover "defensive" -- and what some would consider offensive -- countermeasures like DDoSing suspected intruders, third parties, or even innocent users.
Two sides to a debate
As I mentioned earlier, CISPA is controversial. Now I'd like to explore a few of the more divisive components of CISPA. To accomplish that I'm going to refer once again to EFF's FAQ website on CISPA:
Under CISPA, what can I do if a company improperly hands over private information to the government?
What can I do to stop the government from misusing my private information?
The EFF response: almost nothing can be done. The government does not have to notify the user; it only has to notify the certified entity that it turned over improper information.
Paul said that users do have an option: on page 13 of HR 624 it outlines how an individual can hold the federal government liable:
If a department or agency of the Federal Government intentionally or willfully violates subsection (b)(3)(C) or subsection (c) with respect to the disclosure, use, or protection of voluntarily shared cyber threat information shared under this section, the United States shall be liable to a person adversely affected by such violation in an amount equal to the sum of:
- The actual damages sustained by the person as a result of the violation or $1,000, whichever is greater.
- The costs of the action together with reasonable attorney fees as determined by the court.
The EFF does acknowledge the legal process, but adds:
[A]ny such lawsuit will be difficult to bring because it's not at all clear how an individual would know of such misuse. An individual could not even use transparency laws, like FOIA (Freedom of Information Act), to find out, because the information shared is exempt from disclosure.
I asked Paul about this, as the bill for once is clearly understandable. On page seven of HR 624:
[S]hall be exempt from disclosure under section 552 of title 5, United States Code (commonly known as the ‘Freedom of Information Act').
Paul responded that the FOIA does not apply in this case. Paul also pointed out there will be significant government oversight. On page 14 through 15 the bill points out the Inspector General must submit annually, a review of the information shared with the government. And, the report shall be submitted in unclassified form; therefore, I'm assuming available to the public.
Something I'm having a hard time understanding is how a slightly more than 5,000 word document can be expected to cover all the bases when such a sweeping and important concept is being considered. I guess that's why I have several questions I can't find answers for -- or let's say concrete answers -- opinions abound:
- For example, wouldn't the DoD collecting information on U.S. Citizens go against the Posse Comitatus Act?
- In a similar vein, does this remove the limits placed on NSA, as it is one of the agencies that will have access to cyber threat information and intelligence?
- I was informed there was wide support for CISPA, but I've only found 15 companies that have publicly committed to supporting CISPA. Yet, last month internet activists delivered to Congress a list of 300,000 signatures against CISPA. So who is right?
- HR 624 has a list of personal-identifying information that is off limits and cannot be shared with the Federal Government. I am curious why these records were chosen: library circulation records, library patron lists, book sales records, book customer lists, firearms sales records, tax return records, educational records, and medical records.
This was a difficult article to pull together. Oddly enough, a colleague's comment cuts right to the chase. If CISPA becomes law, Americans will lose privacy in exchange for improving the odds of preventing a catastrophic cyber-attack.
That same colleague then smiled and said he really felt it was a plot by the U. S. Postal Service to get themselves back into a positive cash flow.
I am grateful that Paul Rosenzweig, who just returned home from traveling, was kind enough to make room for me in his schedule. I also wanted to thank the EFF for allowing me to borrow quotes from their website.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.