Security

CISPA pits privacy against security: A closer look at the issues

The United States Congress is once again considering a bill that could forever change how we as individuals use the internet. Michael P. Kassner looks at what those changes are.

HR 624 (113th), better known as CISPA (Cyber Intelligence Sharing and Protection Act) is a bill under consideration by the U.S. House Intelligence Committee, and a revival of HR 3523 (112th) -- the 2012 CISPA bill that passed in the House, but not the Senate.

Both bills (practically identical) grant "certified entities" (businesses and organizations approved by the fed) and federal government agencies the ability to obtain and share information considered vital to the defense of digital networks within the confines of the United States, including what we call the internet.

HR 624 refers to the information to be shared as cyber threat information and cyber threat intelligence. I was not sure how information differed from intelligence, so I asked Paul Rosenzweig, founder of Red Branch Consulting. Why Paul? His list of credentials is long and distinguished, and of particular interest was his serving as Deputy Assistant Secretary for Policy in the Department of Homeland Security.

Paul explained that intelligence differs from information in that intelligence includes the element of time. A good example of information might be a network-routing diagram showing paths along which a cyber-attack may occur. Knowing in advance when the attack is to take place would be intelligence.

I'm glad Paul cleared that up. Paul will be back later to help me wade through the controversial parts of CISPA.

What is to be shared?

The following categories are listed in CISPA as guides for what information or intelligence should be reported to the National Cybersecurity and Communications Integration Center of the Department of Homeland Security, and shared with other certified entities:

  • A vulnerability of a system or network of a government or private entity.
  • A threat to the integrity; confidentiality; or availability of a system or network of a government or private entity; or any information stored on, processed on, or transiting such a system or network.
  • Efforts to deny access to or degrade, disrupt, or destroy a system or network of government or private entity.
  • Efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity.

It would be difficult to argue the above bullets are not threats. And, privacy experts aren't trying to. What rubs privacy advocates and organizations entirely the wrong way is in how reportable threat information is obtained; CISPA grants certified entities the ability to scan and read every digital bit that passes through their networks, including your personal information, and mine. Some say, so what, they do already; that may be so, but with CISPA in place -- there is no longer a question of whether doing so is legal or not.

If I understood Paul correctly, the following example would be reported under CISPA. Your home computer has been compromised, and is part of a botnet attacking a Department of Defense website. Your ISP being a certified entity is scanning traffic from your computer, and notices bot-like activity. Your ISP will then report the matter to other certified entities and federal agencies.

Then what?

What happens next is unclear. The closest reference I found was on page eight of HR 624. Under the Exemption from Liability paragraph, it states (refer to the second bullet):

No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith:

  • For using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section.
  • For decisions made based on cyber threat information identified, obtained, or shared under this section.

It's "For decisions made" that caught the attention of the Electronic Freedom Foundation. Here's what their FAQ website on CISPA mentioned:

CISPA provides companies with immunity "for decisions made based on cyber threat information" as long as they are acting in good faith. But CISPA doesn't define "decisions made." Aggressive companies could interpret this immunity to cover "defensive" -- and what some would consider offensive -- countermeasures like DDoSing suspected intruders, third parties, or even innocent users.

Two sides to a debate

As I mentioned earlier, CISPA is controversial. Now I'd like to explore a few of the more divisive components of CISPA. To accomplish that I'm going to refer once again to EFF's FAQ website on CISPA:

Under CISPA, what can I do if a company improperly hands over private information to the government?

And:

What can I do to stop the government from misusing my private information?

The EFF response: almost nothing can be done. The government does not have to notify the user; it only has to notify the certified entity that it turned over improper information.

Paul said that users do have an option: on page 13 of HR 624 it outlines how an individual can hold the federal government liable:

If a department or agency of the Federal Government intentionally or willfully violates subsection (b)(3)(C) or subsection (c) with respect to the disclosure, use, or protection of voluntarily shared cyber threat information shared under this section, the United States shall be liable to a person adversely affected by such violation in an amount equal to the sum of:

  • The actual damages sustained by the person as a result of the violation or $1,000, whichever is greater.
  • The costs of the action together with reasonable attorney fees as determined by the court.

The EFF does acknowledge the legal process, but adds:

[A]ny such lawsuit will be difficult to bring because it's not at all clear how an individual would know of such misuse. An individual could not even use transparency laws, like FOIA (Freedom of Information Act), to find out, because the information shared is exempt from disclosure.

I asked Paul about this, as the bill for once is clearly understandable. On page seven of HR 624:

[S]hall be exempt from disclosure under section 552 of title 5, United States Code (commonly known as the ‘Freedom of Information Act').

Paul responded that the FOIA does not apply in this case. Paul also pointed out there will be significant government oversight. On page 14 through 15 the bill points out the Inspector General must submit annually, a review of the information shared with the government. And, the report shall be submitted in unclassified form; therefore, I'm assuming available to the public.

Unanswered questions

Something I'm having a hard time understanding is how a slightly more than 5,000 word document can be expected to cover all the bases when such a sweeping and important concept is being considered. I guess that's why I have several questions I can't find answers for -- or let's say concrete answers -- opinions abound:

  • For example, wouldn't the DoD collecting information on U.S. Citizens go against the Posse Comitatus Act?
  • In a similar vein, does this remove the limits placed on NSA, as it is one of the agencies that will have access to cyber threat information and intelligence?
  • I was informed there was wide support for CISPA, but I've only found 15 companies that have publicly committed to supporting CISPA. Yet, last month internet activists delivered to Congress a list of 300,000 signatures against CISPA. So who is right?
  • HR 624 has a list of personal-identifying information that is off limits and cannot be shared with the Federal Government. I am curious why these records were chosen: library circulation records, library patron lists, book sales records, book customer lists, firearms sales records, tax return records, educational records, and medical records.

Final thoughts

This was a difficult article to pull together. Oddly enough, a colleague's comment cuts right to the chase. If CISPA becomes law, Americans will lose privacy in exchange for improving the odds of preventing a catastrophic cyber-attack.

That same colleague then smiled and said he really felt it was a plot by the U. S. Postal Service to get themselves back into a positive cash flow.

I am grateful that Paul Rosenzweig, who just returned home from traveling, was kind enough to make room for me in his schedule. I also wanted to thank the EFF for allowing me to borrow quotes from their website.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

45 comments
johnschw
johnschw

The way things are going, I think a name change is in order. Any government agency with the word "security" in it would have the word replaced with "suppression". Example: The DHS (Department of Homeland Security) should be renamed to the Department of Homeland Suppression (same initials)!! The following definitions from Wikipedia would justify the change! From Wikipedia, the free encyclopedia The term suppression may refer to: Oppression, the exercise of authority or power in a burdensome, cruel, or unjust manner, also an act or instance of oppressing Censorship, the suppression of public communication considered objectionable to the general body of people as determined by a government or media outlet Voter suppression, a strategy to influence the outcome of an election by discouraging or preventing people from exercising their right to vote Cultural suppression, occurs when a culture is suppressed, usually coinciding with the promotion of another culture, often related to cultural imperialism Religious intolerance, intolerance against another's religious beliefs or practices by individuals, private groups, government agencies or the whole government Suppression of dissent, occurs when an individual or group tries to censor, persecute or otherwise oppress the other party rather than communicate logically Thought suppression, the process of deliberately trying to stop thinking about certain thoughts, associated with obsessive-compulsive disord

apotheon
apotheon

When I want to increase security, I always spread all my sensitive data around to as many entities not under my direct control as possible, too! Oh, wait, no I don't. There is no trade-off between privacy and security here. It's downhill for both when bills like these pass. The only "security" these jackasses in Congress are really trying to achieve is job security, which depends far more on marketing and appearances than actual effective policy. Counterproductive policies like CISPA are right up that alley.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

FOIA is about ensuring transparency in the government not about accessing your personal files maintained by the government. The Privacy Act addresses this and under it you have the right to see records about yourself. How you would go about requesting data collected under CISPA I don't know, but, in theory, if you can find the right button then you should be able to request access to your file. This is a quote from a government web site about the privacy act: http://publications.usa.gov/epublications/foia/foia.htm "How do I know if an agency has a file on me? If you think a particular agency has a file pertaining to you, you may write to the Privacy Act Officer. Agencies are generally required to inform you, upon request, whether or not they have files on you. In addition, agencies are required to report publicly the existence of all systems of records they keep on individuals. The Office of the Federal Register makes available on the internet a compilation of each agency’s systems of records notices, including exemptions, as well as its Privacy Act regulations. The Privacy Act Issuances Compilation includes most systems, is updated every two years, and can be found at www.gpoaccess.gov/privacyact/index.html." Personal data is specifically not releasable under FOIA to protect individuals privacy. If the Inspector Generals report was specific enough to identify individuals then it too would not be releasable, nor would you want it to be. ID theft is bad enough without the government intentionally giving out large amounts of personal data. Bill

rocket ride
rocket ride

Each category of personal data that is specifically protected from distribution under CISPA is there because someone made a stink about it being distributed during the debates over prior legislation, such as the "PATRIOT" act or what has come to be known as "Obamacare" (I don't remember the formal name of that bill-- and can't quite be bothered to look it up). I think CISPA's proponents learned from those prior debates what types of personal info Americans hold dearest (and most private) and tried to defuse the most rancorous part of this debate by taking them off the table.

pgit
pgit

Isn't that the PROBLEM here? :) Not to mention the fox-hen house thing.

jason_lacoss-arnold
jason_lacoss-arnold

Just get every company to forward all firewall block logs, intrusion detection alerts, network scan probes etc to the Feds and watch them drown under the noise.

RickCaird
RickCaird

There is no doubt in my mind that as government flails away not solving the real problems, they are putting in place an infrastructure to radically restrict the privacy of Americans. This goes all the way from foreign bank accounts to the ability to surveil from drones without warrants to no notice warrants to inspecting every bit in every message to saving all electronic communications in Utah. We really need to ask why the government is putting all this in place.

bwall99
bwall99

As one of the billions of users who thankfully live outside the jurisdiction of the USA I follow such stories with detached interest. Attempts to put the genie of the internet back in the bottle will always fail whilst the majority of internet users live outside America. Those of us in Europe, not to mention China, India, Russia, the Far East etc don't take kindly to interference so I hope your Congress don't imagine they can get away with expanding such schemes outside of your borders.

Michael Kassner
Michael Kassner

I do not see that going far enough. They can collect anything that you send over the internet. They could claim it was not private or personal, but it came from you.

Michael Kassner
Michael Kassner

To be honest, I would have thought credit-card and more immediate financial information would be of importance.

Michael Kassner
Michael Kassner

I did not get the juxtaposition until you mentioned it.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

How do you find attacks that aren't logged by defensive devices? If firewalls and IDS's were enough then there wouldn't be a need for this legislation. Bill

simonschilder
simonschilder

The problem with your statement Jason is that right now there is so much computer power availlable to the goverment that they won't drown in the data flood... Safety in numbers is a passed station

Michael Kassner
Michael Kassner

One has to wonder if any of these measures would have prevented any of the attacks, cyber or otherwise?

HAL 9000
HAL 9000

That when the US Authorities don't like something you send through the US or to any US Based Servers they apply for Extradition to the US for you to face the charges. Because they need to extradite you to the US you may very well be a Runner so you get to spend the time between arriving in the US and facing Trial on Remand held in Custody to prevent you running. You need to understand that to prevent this from happening you should never send anything which will be considered as Suspect through a E-Mail, Text Upload or so on and to be really sure you need to live in a Country [b]Without[/b] an Extradition Treaty with the US. Not many developed countries in the West who don't have one of those though. ;) Like all countries the US also scans all messages that pass over it's borders from outside as well as all internal data transfers be that Cell Phone traffic both Voice, Text and Data, Fax Transmissions, E-Mail, All Data Downloads no matter the type and so on. Different countries have different names for the agencies which do this for them but all developed countries do this in the name of security. So what happens in the US is a precursor of what happens in most countries to improve Internal Security and keep the Citizens of the country safe. Personally I don't have any problem with it either. ;) Col

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Any time you connect to servers based in the US this law would affect you. Due to the nature of how the Internet works any law that deals with it tends to affect a much larger audience than just the citizens of that country. The down side is that usually non-citizens have little say or influence in the decision making process. Bill

Michael Kassner
Michael Kassner

If I understand correctly, the traffic you sent to this forum could/would have been scanned under CISPA.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Your article only talked about FOIA which is the wrong way to go about trying to determine if the government is recording data about you. Sure, the Privacy Act may not go far enough, but that really wasn't the focus of my comment. Bill

wdewey@cityofsalem.net
wdewey@cityofsalem.net

If credit card info isn't encrypted then there is already a problem. Without doing SSL inspection (basically a man-in-the-middle attack) it is extremely costly (if not impossible) to look at encrypted traffic. Most financial traffic is encrypted, but if someone does a search for a medical condition then that could be shared with the government without a clause in the act. Bill

Michael Kassner
Michael Kassner

The jest of this bill is to find out about attacks before they occur -- hence the term intelligence.

Michael Kassner
Michael Kassner

What do you mean by "Safety in numbers is a passed station?"

The_Real_BSAFH
The_Real_BSAFH

All of this is busy work. It is designed to keep us from seeing what the governement is really doing for *their* masters and allows them to control the information when someone starts to see through the FUD. Say no to CISPA.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I don't know if this law will prevent a cyber attack, but it may help to limit the scope and effect of the attack. If you find an unusual number of companies in the same sector that are comprised by a similar piece of malware they it would be possible to issue an advisory that may help other company detect or defend against similar attacks. This could limit the total number of compromises and help detect and cleanup existing ones. I'm not for or against this law yet (haven't read enough), but information sharing is a very powerful tool and can be used for good or for bad. Bill

michael.moore
michael.moore

In order to extradite a non-US citizen from their country (or any treaty contry for that matter) the US Government would have to demonstrate they have a reasonable chance of succesfully prosecuting an indictable, criminal offence. I'd suggest they'd need a lot more than some captured "cyber-traffic" intel in order to do that. As an honest citizen of a non-US "developed" country I don't really care what you do with the information about me that crosses the border into the US if it helps to protect that information from criminals who would seek to use that information for their own gain. At some stage we have to have some faith that our governments are more trustworthy than organised crime. Otherwise what's the point in having an ordered society - we might as well go back to unfettered tribal warfare!

Michael Kassner
Michael Kassner

Was what type of communications is this limited to, if any. This could be really far reaching covering everything -- voice to fax to digital.

apotheon
apotheon

You say that as though citizens get a lot of say in the matter.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

"The EFF does acknowledge the legal process, but adds: .... An individual could not even use transparency laws, like FOIA (Freedom of Information Act), to find out, because the information shared is exempt from disclosure." The bill says nothing about how people would discover mis-use. That was the EFF. I think I pointed it out because you chose that direct quote to answer the "What can I do to stop the government from misusing my private information?" FOIA could NEVER be used to determine mis-use of PERSONAL information (Purposely upper case for emphasis). The EFF really needs to read and understand the difference between FOIA and the Privacy Act. FOIA is agency created data, Privacy Act is PII. There was a big debate in Oregon recently because PERS release the names and dollar figures for people with the largest retirement benefits. I think the only reason the info was release (after years of court battles) is because PERS creates the formula's that generate the dollar figures. http://www.oregonlive.com/politics/index.ssf/2011/11/top_beneficiary_of_oregon_publ.html Bill

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Same way that people find out about companies doing illegal activities. The backlash is people not buying their products, ie DigiNotar. It seems like your own example shows the process. Someone notices something odd, researches it and then releases the info. Is what Nokia is doing a socially acceptable, legal process with or without CISPA? I am betting that someone at the company had the conversation about creating an intentional man-in-the-middle process before this project even started. If the CISPA passes then there may be a larger chunk of the population that suddenly realizes they don't want their data shared with other entities and goes out and buys HTC or motorola or samsung or (insert name here) phones. So then Nokia either changes their process or loses market share. This still doesn't reduce the cost or the risk except for 3rd parties. I really don't see people being ok with this for very long and if this goes badly for Nokia then I don't see other manufacturers following suite (or they will change their way quickly). Ubuntu has been dealing with similar issues due to their Amazon search feature. The CISPA doesn't condone or make MitM legal or acceptable. It just add a broader impact to the process and could make the public outcry louder. Where it could really have an impact is in companies that require it. A number of companies have set up SSL inspection for protection purposes, but people should know what is happening. If they choose to do banking knowing that their data could be recorded then it was a voluntary action. Bill

Michael Kassner
Michael Kassner

Only a chosen few need to scan, the information could then be shared. And what backlash, they have immunity and I don't see how anyone will know, as does the EFF.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

If you don't think having an infrastructure capable of manufacturing millions of devices and handling gig's of traffic isn't expensive then maybe we are in different tax bracket's. Sure, you also could have keyloggers built into the firmware, but not every company has either of these capabilities. Talking about costs, the backlash from this could cost Nokia a good chunk of money. For a large well known company to perform these types of actions is gambling. Look at the Sony root kit or DigiNotar. If you don't think these actions cost them lots of money then we will have to agree to disagree on that point. Bill

Michael Kassner
Michael Kassner

I included those points in my article, actually. What you are talking about is already supposedly being done by government agencies. What has advocates worried is the sharing of this information between companies, which have immunity if they act in good faith, which is not defined.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Here are the definitions for Cyber threat and cyber intelligence from the bill: "‘(4) CYBER THREAT INFORMATION- ‘(A) IN GENERAL- The term ‘cyber threat information’ means information directly pertaining to-- ‘(i) a vulnerability of a system or network of a government or private entity; ‘(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network; ‘(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or ‘(iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity. ‘(B) EXCLUSION- Such term does not include information pertaining to efforts to gain unauthorized access to a system or network of a government or private entity that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access. ‘(5) CYBER THREAT INTELLIGENCE- ‘(A) IN GENERAL- The term ‘cyber threat intelligence’ means intelligence in the possession of an element of the intelligence community directly pertaining to-- ‘(i) a vulnerability of a system or network of a government or private entity; ‘(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network; ‘(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or ‘(iv) efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity. ‘(B) EXCLUSION- Such term does not include intelligence pertaining to efforts to gain unauthorized access to a system or network of a government or private entity that solely involve violations of consumer terms of service or consumer licensing agreements and do not otherwise constitute unauthorized access." If you notice the "efforts to deny access" statement? This indicates some type of network attack. It may be a limited attack probing for vulnerabilities or to test responses. This bill isn't just about scanning peoples email to see if they are threatening the US or some company. Intelligence isn't just listening in on conversations, it's about looking for indicators. Indicators could be an increase in port scan's from a particular IP address or an oddly crafted IP packet. Will this involve scanning email? Probably, but then again email is a very common means of gaining an initial foothold in an organization. Bill Edited and completely changed point

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Intel helps determine what is happening and why which can help limit and stop an attack. If it's real good intel it may be able to prevent an incident all together. Bill

Michael Kassner
Michael Kassner

It's more of an intelligence-gathering project than anything, at least that's what I have been gleaning from the reports.

HAL 9000
HAL 9000

The US was chasing a Mentally retarded person for Hacking their Military looking for proof of UFOs from the UK. I believe that they got that one though it did take a couple of years and I have heard no more reported about it either. That is just one example of where things can go wrong particularly if you do not realize you are Hacking into a Secure Environment. After all None have a [b]Big Warning[/b] on the front door Caution Do not Enter [i]list name of Federal Agency here.[/i] The current problem with the US and Computer Security is that they have none, they expect you not to do the wrong thing and give you no warning that you maybe straying into places that you really don't want to be. Example Bradley Manning who has just pleaded Guilty was given a computer that had a Record-able Optical Drive and was allowed to enter his work area with Blank Media and then remove it after his shift was finished basically unchecked and most defiantly never challenged. Back in the days when I worked in areas like that the systems had no ability to write to media other than internal Media and while you could take any record-able Media onto the Base if you tried to take any off the base for any reason but Authorized Data Transfers you where in a World of Hurt with lots of Explanations being asked from from the MP's. Try to remove anything from the base even with the right paperwork and you knew all about it. Why isn't that happening today? I can answer that and it's because it costs money. The same applies to a lot of Supposedly Secure Environments they are Secure in [b]Name Only[/b] it's just the same as stamping Top Secret on a document and that prevents it from being copied, stolen or otherwise distributed. Security by Fear of Reprisals is no Security at all. ;) Col

Michael Kassner
Michael Kassner

The information will be shared with other certified entities as well. Verizon could share with AT&T and so on. Government most likely has all it needs already. One source expects to see an increase in spam from entities never contacted by a user.

HAL 9000
HAL 9000

Though the stuff may be scanned by computers for Flagged terms, words or whatever first before being passed on to Humans to look deeper. For instance an easy one is saying something like Nuke the unit where the word [i]"Nuke"[/i] would be flagged and then be ruled out with the following Boot & Nuke being used in the same sentence or very soon after. That way it would pick up the difference between referring to a computer program commonly used and a fission weapon. Though using the words Nuke & Fission Weapon in the same sentence is defiantly going to raise lots of [b]Red Flags.[/b] :D So in this case as I'm in AU the above would be scanned by the Australian Defense Force Directorate in Western Australia and the US Base at Pine Gap before leaving AU and then by another CIA Base when it enters the US. Both Pine Gap and whichever CIA scanning station which is being used would then forward the data onto a area to investigate more deeply to see that No Further Action is Required and then finally the FBI through one of the other Homeland Security Agencies would also scan the message when it was sent internally within the US. As both the CIA and FBI as well as any other Internal Security Agencies don't share Information the process is replicated and the costs increased accordingly. Of course if this transmission was directed through one or more other countries like somewhere in Europe the message would be scanned going into each country, being transmitted across that country and again as it left that country, though depending on the country/s involved it may very well be scanned by the same agency. In AU the AD FD and Pine Gap share Data though depending on the current situation the sharing may be more complete today than at other times. It all depends on just how [b]"Complex"[/b] the current Political Situation actually is. :^0 Col

apotheon
apotheon

If voting could really change anything, it would be illegal. Hell, exercising most of your rights is illegal.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Citizens have certain rights. Most people don't exercise them, but they exist. It's better than nothing.