LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

A perf ABI fix

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Cybersecurity and CISPA

By Jake Edge
May 2, 2012

Depending on whom you listen to, "cybersecurity" is either an enormous national security concern or a largely overblown issue promulgated by those with something to gain. There is little question that there are security threats to computers that emanate from "cyberspace"—though that term might best be relegated to the science fiction where it originated—and that some of those threats could cause serious harm to the infrastructure of the internet and to systems connected to it. But, like most internet "protection" laws, the proposed US "Cyber Intelligence Sharing and Protection Act" (CISPA) does little to actually improve the problem it is slated to solve and is, instead, an enormous overreach into the private communications of internet users.

The ostensible purpose of CISPA is to facilitate the sharing of network traffic information between US government agencies and various US companies to assist in investigating and thwarting internet attacks. While that may sound relatively harmless—possibly even beneficial—the devil, as always, is in the details. In this case, the details aren't very clear; as the bill is written it could allow for nearly limitless internet data collection, with provisions to share that information with the US government, all with little or no oversight. It is, in short, an enormous circumvention of the usual protections against warrantless wiretapping (not that we haven't seen those protections ignored before, of course).

Part of the problem stems from overly vague language in CISPA. The bill only requires that cybersecurity or national security be "one significant purpose" of the government's use of the data being shared. That leaves a lot of wiggle room, not only because the two terms are not well-defined, but also because it allows the use of the data for non-security purposes if some kind of security tie can be made. Earlier versions of the bill specifically mentioned things like copyright enforcement as one of the things that the data could be used for.

CISPA would also shield companies (like ISPs or web sites) from civil and criminal liability for any "good faith" sharing of data. That would severely limit the legal recourse for users harmed by inappropriate data collection or sharing. The government is also shielded from legal recourse unless there is intentional or willful mishandling of the data—notably, negligent handling of the data is protected.

As we have seen time and time again (e.g. the PATRIOT Act, Digital Millennium Copyright Act (DMCA), the Computer Fraud and Abuse Act (CFAA), etc.) the vagueness of computer-related statutes makes them likely to be abused, either by prosecutors, government agents, companies, or private parties, to further aims that are arguably unrelated to the intent of the law—or at least its stated intent.

There have been claims that entering incorrect information in the registration for a web site can be construed as "unauthorized access" under the CFAA for example. Unauthorized access is one of the threats specifically mentioned by CISPA. That could potentially turn anyone who registered a false name or birth date with a social network (or violated the terms of service of some web site) into a cybersecurity threat under the law, which would allow the collection and sharing of their internet traffic. Proponents claim it would never be used that way, of course, but those same claims were made for the CFAA and others.

In an effort to clarify what else the government could use any of the collected data for, the US House approved an amendment to CISPA before passing the measure. Instead of being able to use the data for "any lawful purpose" (assuming it was collected and shared due to some tie to cyber or national security), the amendment narrowed it to five separate uses: "cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security". While that's better, certainly, it enshrines an expansion of CISPA from strictly being about computer security to cover additional illegal activities. That expansion is part of what worried civil liberties organizations (the Electronic Frontier Foundation (EFF), TechFreedom, American Civil Liberties Union (ACLU), Reporters Without Borders, and on and on). CISPA is sold as protecting computers and networks, but stretches further to protecting exploited children and dealing with "cyber crime".

That's not to say that there isn't good reason to fight those kinds of problems, but there are already tools at hand to do so. Part of the selling point of CISPA is that cybersecurity threats are so fast moving that stopping to get a judge to issue a warrant could cause irreparable harm. That may be true, but it may also be less true for some of the other threats now listed in the House version of CISPA. The "extra" threats probably seem like an obvious addition, but they may really just end up allowing carte blanche fishing expeditions in the internet traffic of those suspected of being some kind of security threat.

Normally, it is the role of judges to impartially look at the reasons that law enforcement has for its suspicions before they grant search warrants. That is meant to provide some "checks and balances" in the system. Circumventing that requirement should not be taken lightly as it is only a question of when, not if, these kinds of provisions will be abused. There may be situations where it does make sense to short-circuit the search warrant process (at least for a short period of time), but it's not at all clear that the bill's proponents have clearly thought that out. Instead, it seems like the "threat du jour"; one that Congress must take action on.

The US Senate will also be considering CISPA sometime soon, though the Obama administration has threatened a presidential veto over privacy concerns. That threat isn't being taken very seriously by some, but passage by the Senate is far from assured anyway. That said, it is a worrisome bill and the EFF and others are gearing up to oppose it in the Senate.

If there truly is a need for some kind of sweeping cybersecurity legislation because existing laws cannot handle some violations—something that hasn't been well articulated by proponents—there are a number of steps that could be taken to make CISPA more palatable to civil liberties and privacy advocates. Adding a mandatory judicial review, reducing the scope to the actual problem being addressed, and not giving blanket protection against "good faith" misuse of the data to the government and internet carriers and providers would all be steps in the right direction. Unfortunately, while there have been amendments made, the core problems with CISPA remain.

While it may be tempting to write this off as a "US problem", passage of CISPA is likely to affect internet users worldwide. Large chunks of internet traffic pass through the US, which would make it vulnerable to collection. In addition, many internet services are based in the US, and those US companies might well be asked to hand over data on those in other countries perceived to be security threats. In fact, the supposed intent of CISPA is to protect against threats from "overseas".

In the end, CISPA is a poorly thought out, knee-jerk reaction to a real problem. The scope and severity of that problem is not well understood, however, and there is a burgeoning cybersecurity industry that is, at a minimum, cheerleading for tougher measures like this one. That's not a recipe for good legislation. CISPA is just another in a long line of proposed and enacted legislation with a stated intent that is far different from the language in the bill itself. But it is certainly something to keep an eye on.

(Log in to post comments)

Cybersecurity and CISPA

Posted May 3, 2012 14:26 UTC (Thu) by drag (subscriber, #31333) [Link]

Our personal freedom and national security is far far too important and vital to leave in the hands of a organization so ripe for the potential of abuse, corruption, and incompetency as the USA Federal government.

These modern attempts to legislate 'security' will easily ruin what little real freedom and independence that remains in our country.

Cybersecurity and CISPA

Posted May 3, 2012 15:59 UTC (Thu) by smoogen (subscriber, #97) [Link]

What I find funny in such comments is that overall the Federal government has less power over people than state and local governments or even corporations.. and the lion share of corruption is there. However people seem to focus on a bogeyman far away than the monster in their own closet.

[I say this after looking at the size of and scope of tracking that the NYC intelligence agency has over the people of New York State. Or the amount of control that the oligarchy of AT&T and Comcast have over people's information. Most state governments have more ability to "watch" over their citizens at checkpoints, data taps, and have less oversight than even the most corrupt sections of the Federal Government (Interior Department) has. ]

The main item is that always going on about the Feds misses where a lot of the real problems occur.

Cybersecurity and CISPA

Posted May 4, 2012 1:39 UTC (Fri) by drag (subscriber, #31333) [Link]

One of the major differences is that if a state government is being evil then you can just move to another state. This is a far more effective manner to control the behavior of the state then democracy because it affects their tax base, and this is something they actually do care about.

AS far as corporations like ATT and Comcast it is important to realize that:
The USA is a mild-moderate level fascist state. Fascism, being a right wing off-shoot from socialism, is were you have corporate and labor interests working together as part of the government to direct and control the economic activities of the country. Which exactly describes how this country is ran today. The biggest difference between now and Italy of the 1930's is that instead of a single dictator power is divided up between two major political dynasties.

Companies like ATT would of never existed and gotten large if it was not for direct collusion with government interests. Things like regional monopoly grants, special legal privileges, grant money, FCC, patents, and so on and so forth they could not be what they are today.

Now I am not saying that corporations are your friends or that State governments are easy to control. Pointing out that things other then the Federal government are terrible does not make the Federal government any less terrible.

What I _AM_ saying is that CISPA is fucking evil and if it passes the Federal government will abuse it at every opportunity for political and economic reasons and it will do nothing to help make us safer.

Cybersecurity and CISPA

Posted May 3, 2012 17:21 UTC (Thu) by jackb (subscriber, #41909) [Link]

far far too important and vital to leave in the hands of a organization so ripe for the potential of abuse, corruption, and incompetency
Taking that principle to its logical conclusion the set of legitimate government functions is empty.

Cybersecurity and CISPA

Posted May 4, 2012 13:10 UTC (Fri) by nix (subscriber, #2304) [Link]

That does indeed appear to be what drag believes. Speaking as someone whose life (and the lives of 3/4s of his family) were saved by repeated interventions from one of the US right wing's giant bugbears, state-funded healthcare, I'm pretty sure I have grounds to disagree. On Planet Libertarian I would be dead.

Cybersecurity and CISPA

Posted May 6, 2012 23:03 UTC (Sun) by man_ls (guest, #15091) [Link]

Ah, but drag has a point in this case. The potential for abuse and corruption in a function such as total information awareness is too high for any government to have, so it should be forbidden by law. Probably by an amendment to the constitution of all democratic countries.

Not so with public healthcare or other functions, which may or may not be provided by the government, but there are no a priori arguments against the function itself. (Sure, US right-wingers have a plethora of such arguments. They just don't make any sense.)

Cybersecurity and CISPA

Posted May 8, 2012 9:00 UTC (Tue) by nix (subscriber, #2304) [Link]

Oh, agreed -- pervasive spying by *anyone* is a bad thing. (However, your assumption that all democratic countries *have* a constitution to be amended, or anything like one, is a tad parochial. You can build a country entirely on overlapping layers of precedent and "this is the way we always did it" if you keep at it long enough.)

Lack of a constitution

Posted May 8, 2012 9:16 UTC (Tue) by man_ls (guest, #15091) [Link]

Yep, sorry. I suppose UK citizens would be even more offended if I suggested that EU directives play the role of a super-constitution since each of these has to be transposed to local legislation... Perhaps this particular right to electronic privacy should be included in the bill of human rights, or something else with the pretense of being universal. Is it too late to amend the Magna Carta?

Anyway, the traditional right to privacy should be enhanced by including electronic surveillance and data retention as effective means of violating privacy. Bad things can happen, and are happening in places like PRC.

Lack of a constitution

Posted May 8, 2012 15:51 UTC (Tue) by nix (subscriber, #2304) [Link]

You could amend the Magna Carta if you liked, but it's almost entirely repealed by this point anyway so it's pretty much pointless to do so. It's not a constitution of any sort.

(But, yes, pedantry aside I agree with your original point!)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds