I think that perhaps my concerns regarding CISPA and the lack of concern from others I have spoken with comes down to how much we each trust the government to behave and self moderate itself.
There is a great deal of language in CISPA regarding how the government “shall conduct cybersecurity activities to provide shared situational awareness that enables integrated operational actions to protect, prevent, mitigate, respond to and recover from cyber incidents.”
And how as part of that process they shall “facilitate information sharing, interaction, and collaboration among and between the Federal Government; State, local, tribal, and territorial governments; and cybersecurity providers and self-protected entities.”
CISPA speaks of how the government shall “establish and periodically review policies and procedures governing the receipt, retention, use, and disclosure of non-publicly available cyber threat information shared with the Federal Government…Such policies and procedures shall, consistent with the need to protect systems and networks from cyber threats and mitigate cyber threats in a timely manner— “
Those procedures are to:
- “minimize the impact on privacy and civil liberties” (Which admits and impact)
- “reasonably limit the receipt, retention, use, and disclosure of cyber threat in
formation associated with specific persons that is not necessary to protect systems or networks from cyber threats or mitigate cyber threats in a timely manner” (Who gets to judge what is “reasonable”?)
- “protect the confidentiality of cyber threat information associated with specific
persons to the greatest extent practicable;” (But only to the extent that it is practicable? Kind of a built in excuse isn’t it?)
- “not delay or impede the flow of cyber threat information necessary to defend against or mitigate a cyber threat.” (I wonder if the afore mentioned privacy and civil liberties efforts, and reasonable limits could be construed as delaying or impeding necessary defense information? I think you know that bureaucrats could and would make such arguments if the need to protect themselves and the government arose.)
Oh look, “INFORMATION SHARING RELATIONSHIPS.— Nothing in this section shall be construed to…prohibit the sharing of cyber threat information directly with a department or agency of the Federal Government for criminal investigative purposes related to crimes described in section 1104(c)(1) of the National Security Act of 1947”
I wonder what other purposes are in section 1104(c)(1)?
- “for cybersecurity purposes;”
- “for the investigation and prosecution of cybersecurity crimes;”
- “for the protection of individuals from the danger of death or serious bodily harm and
the investigation and prosecution of crimes involving such danger of death or serious bodily harm; or” (Wait a minute??? Can this not be VERY broadly construed as to allow both the preemptive use of the information to protect as well as for investigative purposes that would normally take Court Warrants to attain?)
- “for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in
•HR 624 EH section 2258A(a)(2) of title 18, United States Code.” (Here is a link to that Code Section http://www.law.cornell.edu/uscode/text/18/2258A)
Now it seems that the “The Federal Government may not affirmatively search cyber threat information shared with the Federal Government under subsection (b) for a purpose other than a purpose referred to in paragraph (1).” (Consider however that all those bullets directly above are from that paragraph (1).
This legislation also poses problems for Whistle blowers as “efforts to exfiltrate information from a system or network without authorization;” is defined as a Cybersecurity crime.
Now it is true that there is not a mandate for businesses to participate with the Government on Cybersecurity in the ways proposed by this legislation. But the legislation does seek to “encourage the sharing of such intelligence” as well as “facilitate information sharing, interaction, and collaboration among and between the Federal Government; State, local, tribal, and territorial governments; and cybersecurity providers and self-protected entities.”
With all that government encouragement keep in mind the the parties involved are also given legal cover in the form of immunity, “No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith—”
What is lack of “Good Faith”? Glad you asked...”For purposes of the exemption from liability under subparagraph (A), a lack of good faith includes any act or omission taken with intent to injure, defraud, or otherwise endanger any individual, government entity, private entity, or utility.” (Sounds to me any good participating entity is pretty well covered so long as they can say they were just being good little citizens.)
I’ll wrap it there as that is probably already more than you wanted to read. Can you see where some have some concerns regarding our 4th amendment protections if this law is broadly interpreted?
Shannon Grimes, D.C.