Why CISPA Could Actually Lead To More Hacking Attacks

from the unintended-consequences dept

One thing we’ve talked about for years is that lawmakers are notoriously bad at thinking through the unintended consequences of legislation they put forth. They seem to think that whatever they set the law to be will work perfectly, and that there won’t be any other consequences. This is one reason why we’re so wary of simple “fixes” even when the idea or purpose sound good up front. “Protecting artists” sounds good… unless it destroys the kinds of services artists need. Cybersecurity sounds good, unless it actually makes it easier to violate your privacy. And, now, people are realizing that not only may cybersecurity rules like CISPA be awful for privacy, but they could potentially lead to more “cyber” attacks, as companies look to “hack back” against those who attack them. As Politico describes:


The idea is known as “active defense” to some, “strike-back” capability to others and “counter measures” to still more experts in the burgeoning cybersecurity field. Whatever the name, the idea is this: Don’t just erect walls to prevent cyberattacks, make it more difficult for hackers to climb into your systems — and pursue aggressively those who do.

So, how would cybersecurity rules create more hacking? Well, possibly by encouraging this kind of behavior by providing some amount of cover for it. The Cybersecurity bill in the Senate last year included an undefined allowance for “counter measures.” CISPA doesn’t explicitly mention that, but some in the security field are interpreting the bill to provide some amount of cover for such “counter measures” in which they could “perform hacks against threats.” But, if you’re trying to discourage online attacks, that seems like a problem. The likelihood of someone attacking the wrong target is quite high, and it could create quite a mess.

Thankfully, the folks behind CISPA suggest that they’re willing to change the bill to make it more explicit that such countermeasures are not allowed, but until that’s in place, it’s a serious concern:


Some of those fears have reached Rep. Mike Rogers (R-Mich.), chairman of the chamber’s Intelligence Committee and one of CISPA’s lead authors. In fact, panel aides told POLITICO they’re open to revising the relevant definitions in the bill. And Rogers himself this year has railed on the idea of an aggressive active defense, describing it as a “disaster for us” at a time when the country’s digital defenses remain subpar.

Even if they fix this particular hole, it’s these kinds of things that should worry all of us about broad laws that provide things like blanket immunity over ill-defined concepts like “cybersecurity” and “cyberattacks.” The likelihood of it being abused is quite high, especially in an ever changing technology world. Just look at computer laws like the CFAA and ECPA, which cover various computer crimes and privacy today. Both are ridiculously outdated, with concepts that are laughable by any rational view today. And thus, there are massive unintended consequences associated with both laws. Before we rush into creating new laws with big broad vague terms, perhaps we should focus on fixing the old laws and proceeding with caution on any new ones.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Why CISPA Could Actually Lead To More Hacking Attacks”

Subscribe: RSS Leave a comment
15 Comments
out_of_the_bluesays:

This comment has been flagged by the community.

So be sure to read it. Heh, heh. A tactic that should enchance my notice while undermining the rampant mis-use of your precious “report” buttons.

“it’s these kinds of things that should worry all of us”

Anyhoo, EVER noticed, Mike, that you too gin up worries that are yet to appear? Seems the whole country thrives on fake fears. It’s about the only growing industry in the US. And similarly, you never have any solutions to propose, nor any real condemnation to deliver, just wring your hands. — Oh, my! The sky is about to fall! Perhaps we should focus on fixing the old airs and proceeding with caution on any new gases!

Anonymoussays:

Re: Re: Old hat

I the equivalent to “more hacking = less cybercrime” is actually “more shooting = less violence.”

The idea of the second amendment is to prevent the government from weakening the people enough that they can’t be overthrown. It wasn’t intended to save the lives of the general public during peace time, and it’s effectiveness at that can be debated. Of course it’s original intent is a little less effective now that the government has tanks and machine guns, which probably shouldn’t be in the hands of the general public.

Anonymoussays:

The existing amount of hacking attacks justifies bills to fix it. These bills create more hacking attacks which justify more bills creating more hacking attacks justifying more bills. Eventually a bunch of federal agencies are created to deal with the problem, these federal agencies hire people which create jobs and that’s always a good thing.

Anonymoussays:

Re: Re:

these federal agencies hire people which create jobs and that’s always a good thing.

Really, you think increasing the non-productive jobs in society is a good thing. Where will the money come from to pay these people, and remember their taxes are just a discount on the wages paid and not income for the government.

Rick Smithsays:

Time to learn how to wage cyberwar

Well, I guess I better start to learn to initiate effective counter measures myself.

If one thing that has been proven in the last decade is that the ‘corporate’ world is really-really, good at getting it wrong. So when the eventuality happens and a website mis-identifies a legitimate user as an attacker, this loophole should be usable by user as well. What we will have is the equivalent of mutually assured destruction on the internet (since everyone will be afraid to use a site for anything more than your basics) but if laws like this get passed into existence the best way to combat them is to use them against those that thought them a good idea.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow