No Good Can Come Of Any Cybersecurity Bill Without A Clear Definition Of The Problem

from the putting-the-cybercart-before-the-horse dept

With CISPA dead (mercifully) from a critical case of Senate disinterest, the conversation has inevitably turned to what the next cybersecurity bill should look like. Over at Wired, Julian Sanchez has laid out some guidelines for a cybersecurity bill that actually works, achieving the stated goals of CISPA without butchering civil liberties. His key point is that, according to CISPA's authors, the bill's sole purpose is to let companies and the government share technical data (or as Dutch Ruppersberger adorably called it last year, "formulas, Xs and Os, the virus code") to help shore up network security and anticipate major attacks — and there's no real reason that has to conflict with privacy at all.
Few object to what technology companies and the government say they want to do in practice: pool data about the activity patterns of hacker-controlled “botnets,” or the digital signatures of new viruses and other malware. This information poses few risks to the privacy of ordinary users. Yet CISPA didn’t authorize only this kind of narrowly limited information sharing. Instead, it gave companies blanket immunity for feeding the government vaguely-defined “threat indicators” — anything from users’ online habits to the contents of private e-mails — creating a broad loophole in all federal and state privacy laws and even in private contracts and user agreements.


There’s no need to share [personally identifiable] data for security purposes anyway: Kevin Mandia, head of the cybersecurity firm Mandiant, insisted at a February hearing on CISPA that in 20 years in the industry, he had “never seen a package of threat intelligence that’s actionable” that included personally identifiable information.

Sanchez suggests some straightforward basic requirements for a cybersecurity bill that might actually get consensus from privacy watchdogs and the broader public: the removal of personal information before data reaches the government, a limited lifespan on the data (CISPA's authors have stated that real-time information sharing to deal with immediate threats is the key point of the bill anyway), and the ability for companies to respect their contracts with customers. As written, CISPA would have exonerated service providers from keeping any promise they made to not share user data. Even a service provider that wanted to offer you the contractual certainty that they would protect your data would have been unable to do so.

The reason for that is a key piece of language that's been drifting around CISPA since the beginning: "notwithstanding any other provision of law." There are lots of bits and pieces to the bill, but that line is the exemption granted to companies that wish to share cyber threat information with the government, and it's incredibly broad, allowing companies to ignore even the contracts they have with their customers.

So why is it there? That's the question nobody seems to want to answer, and that's the real issue with the whole push for cybersecurity legislation. Supposedly, according to the message that has accompanied CISPA and similar bills from the beginning, companies and the government are currently prevented from doing some harmless, common-sense information sharing to improve network security, because existing laws block such sharing. But... what laws? That has never been clear. Why does CISPA need to provide immunity "notwithstanding any other provision of law" rather than simply creating specific exceptions to the specific laws that are causing a problem? Why has nobody in Congress even been able to point out these problematic laws?

Perhaps it's not just one or two laws; perhaps it's a whole cluttered legal framework that can't easily be cleaned up and needs some broad, sweeping exceptions. But... nobody has made that case either. They just keep saying, non-specifically, "existing laws prevent it". And yet we know that's not true, at least to some degree: the FBI has had a system for sharing threat information back and forth with companies for 15 years. Why is that model not sufficient? Again, if there are reasons, nobody in Congress is offering them.

I'd like to say Sanchez's guidelines make an excellent starting point for cybersecurity legislation, but a starting point for legislation has to be a definition of the problem it's trying to solve, and we still don't have that. Nevertheless, they do serve as an excellent set of rules to hold Congress to if it is really so intent on barreling forward blindly. Cybersecurity grandstanders are likely to say that such restrictions would gut the legislation. Whether that's ignorance, cognitive dissonance or a tacit admission of dishonesty I'm not sure, but the restrictions suggested by Sanchez, the EFF, the ACLU and others would do nothing to hinder CISPA's stated and largely innocuous purpose — they would only interfere with the other much scarier potential uses that Congress insists aren't going to happen.

The longer Congress offers only the vaguest of vague definitions of the problem it's trying to solve, while at the same time seeming to betray even that vague definition with its response to suggested safeguards and restrictions, the harder it gets to afford them even one iota of trust on the subject of cybersecurity.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cispa, cybersecurity

Reader Comments

Subscribe: RSS

View by: Thread

  1. identicon
    Anonymous Coward, 1 May 2013 @ 12:15pm

    Too Honest Congressman: The problem is that the government doesn't have enough power to spy on Americans. We want to fix that with CISPA.

    reply to this | link to this | view in thread ]

  2. icon
    Yakko Warner (profile), 1 May 2013 @ 12:24pm

    Why that sentence is there

    The sentence "notwithstanding any other provision of law" is required. With our overabundance of laws, just about anything you do or don't do is already criminal. So, in order to legally *permit* you to do something, you have to render all existing laws null and void just so it's *possible*.

    reply to this | link to this | view in thread ]

  3. icon
    Zakida Paul (profile), 1 May 2013 @ 12:33pm

    Law makers are clearly stupid

    Any idiot coming home from holiday with a duty free brain cell knows that the first step in solving any problem is to identify and clearly define the whole problem. Only then can you even think about starting to come up with a solution.

    Politicians seem to have this arse about face.

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 1 May 2013 @ 12:39pm

    The problem is that the politicians involved feel they have to look like they're Doing Something To Fight Cybercrime. If they can do that *and* make law enforcement happy by eroding civil rights at the same time, that's just lagniappe.

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 1 May 2013 @ 12:45pm

    you obviously haven't realised that this isn't a bill to correct or prevent anything. it's designed to forecast problems!

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 1 May 2013 @ 1:52pm

    Re: Why that sentence is there

    There is no law for 'grand theft, Populous', so I have to agree to disagree.

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 2 May 2013 @ 1:28am

    I don't need a cyber security law to protect or hinder the internet connection I paid for. I liked my internet just fine before google and everything else on the internet started getting screwed with, changed, censored etc... money and power, that's all this boils down to. everything they do is about money and power. they don't give a FUCK about cyber security!

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 2 May 2013 @ 7:42am

    Re: Law makers are clearly stupid

    The problem is politicians are not network/security/systems engineers, so they get fed dribble from higher brass that is pushing it's own agenda.

    Having a valid technical discussion about the issues and resolutions has been apart of the private industries for years, as most technical people want to solve issues not only for themselves but to better the network as a whole. The fact that the people researching the fixes can run into trouble for violating the DMCA and I would say that it's Congress itself creating some of the problem. I guess that they don't want to admit to that however...

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 2 May 2013 @ 6:54pm


    If one were to "merely" hold companies liable for damages caused by negligence with regard to the data they hold "in trust" (strike that -- insert "to milk") from their customers, I'm sure hacks would drop one-hundred fold within a year.

    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)


Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it

Email This

This feature is only available to registered users. Register or sign in to use it.