Having read the criticism the EFF's been pointing at CISPA, I fail to see how they're interpreting the bill to mean that such overreaching is even possible. I want to see what sort of changes the EFF would make to the current bill which would satisfy the privacy concerns they're claiming exist.
I think everyone agrees that companies should be able to describe to the cops what the guy who robbed them looked like, and those companies should be able to tell their customers they've been robbed without getting sued by their shareholders because the ensuing PR fallout tanks the stocks.
The USG is actively prevented by current regulations from setting up a clearinghouse that would collect netflow signatures, botnet identification, and traffic captures of exploit code and then sharing that information with companies like Google and Facebook.
Private companies can and do share (heavily scrubbed) electronic signature information, but must go through contortions to do so, and incur huge legal costs to do it. As a result, only the largest companies participate in these efforts.
Because the USG is more or less enjoined from participating in clearinghouses with private companies, information sharing networks are handshake affairs that are often unknown to anyone outside tier-3 network engineering. Other private IT security product companies run de facto clearinghouses, but only for their customers.
As a result, when your startup gets DDoS'd and you call your ISP for help, they generally can't do shit to help you. It may annoy you to know that if your connectivity provider is large, there is a group in there that could offramp your traffic to internal "scrubbing centers" to peel off DDOS traffic. But because high-end DDoS protection at ISPs is done sub rosa, startups have a very hard time finding these people.
There is an actual problem with online security attacks right now, and hysteria over any USG intervention with the Internet at all is helping perpetuate it. And all it appears to take to fuel that hysteria is statements like "think of the overreach that will happen once a law hits the books".
How do your last two paragraphs follow from the first three? How does having large companies share threat data help your small startup mitigate a DDoS?
There is an actual problem with online security attacks right now, and hysteria over any USG intervention with the Internet at all is helping perpetuate it.
This sounds an awful lot like, "We must do something. This is something, therefore we must do this."
ISPs propagate flow-based snapshots of attacks to populate filters and redirect traffic to scrubbing centers, but they do so discreetly in part because of concerns about how well their data --- which is used exclusively to generate filters --- has been anonymized.
What "regulations" are those that weren't addressed by the president's executive order last month? Can you provide a cite to an actual federal law that says this?
No, what I'm asking you for is an actual citation to federal law or the U.S. Code of Federal Regulations that backs up your claim ("USG is actively prevented by current regulations from setting up...")
That you failed to provide any, even though I think my request was fairly clear, provides strong evidence that you're unable to do so and your pro-CISPA argument was hand-waving, not based on facts or the law.
1. FISMA spells out in positive terms that incident data collected by agencie is to be reported out to LEOs and the national security services unless otherwise designated by the President, and
2. much of the data we're discussing is classified, so, 18 U.S.C. § 798 is a starting point.
Do you dispute that, say, botnet identification data collected by DoD is classified? Do you have a source to suggest otherwise? I did network security product work at Pentagon with Arbor Networks and they were bananas about classification, operating an entire clone of their enterprise network to account for classification.
I find it interesting that you can publish an article that suggests CISPA is a backdoor attempt at warrantless wiretapping but accuse other people of handwaving.
You're right, of course, that federal agencies have the power to classify data. But I think saying that overclassification happens all the time is not a controversial statement; President Obama in 2010 signed the Reducing Over-Classification Act and the DOD IG announced last November that it reviewing DOD classification procedures. One of the 9/11 Commission members concluded: "Much more information needs to be declassified. A great deal of information should never be classified at all."
So if the only reason we need CISPA is that DOD is inadvisedly classifying botnet data as SECRET, then a sensible fix is for DOD to declassify it. Or, that failing, Congress could amend 18 USC 798 to allow that to happen. Laws, like computer security, should follow the principle of least privilege, and enacting a broad wildcard law that overrides all federal and state laws to fix a narrow botnet-classification problem violates that principle.
Also: the primary criticism of CISPA is that it overrides all other state and federal laws in allowing the transfer of customer data from private companies to .gov, .mil and other organizations. You're defending .gov->.com data transfer, which is hand-wavingly orthogonal to an explanation of why a wildcard override for .com->.gov data transfer is necessary.
I don't understand how your last graf connects to your first.
Start here: packet captures and netflow traces from operational military networks are a textbook definition of something that reasonably should default to "classified".
So then the fact that CISPA preempts classification is the mechanism by which it crafts the exception allowing that stuff to be published. The law says "you can keep classifying secops data on military networks, but when you come across material that would be valuable to the public if sent to a clearinghouse, CISPA preempts classification".
How is that not a sensible measure? And in context, isn't it clear that preempting things like classified disclosure laws is just a pragmatic measure, since reforming all of classification is a huge can of worms, and not some sinister attempt to create a backdoor wiretapping mechanism?
reply