Computer networks in the United States are under attack by sophisticated, state sponsored attackers. These attackers are spying on our strategic plans and stealing our technology. They do not only target government systems and networks, but private organizations as well. It is a very serious problem that could have long term strategic implications for our national security.
Traditional computer security controls have a hard time keeping up with these attackers, as they have developed attack techniques that evade those controls - they know about security vulnerabilities that are unpatched, for example. The U.S. Government has information about these threats that it uses to protect federal systems and networks. Private organizations are also targeted, and could benefit from having access to this information. The information consists of signatures for intrusion prevention systems, which look on the wire for indicators of attack.
The basic purpose of CISPA is to allow the federal government to share classified intrusion prevention signature information with people who work for private organizations and have government security clearances. I do not know why a new law is necessary in order to allow for this, but the fact is that this kind of information sharing may be important for protecting our computer systems and networks. CISPA also allows those private organizations to share information back to the government. That, I think, it where the trouble lies.
When this law was first proposed, civil liberties groups equated it with SOPA. SOPA had to do with creating a blacklist of foreign web sites that Americans are not allowed to view. CISPA has to do with protecting computer networks from attack. These are completely different motives, and conflating the two in order to rally the general public against CISPA seemed to me to be manipulative at best.
The reason that civil liberties groups are concerned about CISPA is language stating that this information sharing is authorized notwithstanding any other law - meaning the government could use these intrusion prevention systems to look for anything that could be rationalized to fit within CISPA's definition of cyber security threats, without a warrant.
One reason, I suspect, for the "notwithstanding" language is that intrusion prevention systems are prone to false positives. Organizations that receive these classified signatures aren't likely to know exactly what the signatures are REALLY supposed to be looking for. Classified information sharing has a tendency to be minimalistic. When one of these signatures fires, the organization running the signature will probably have little choice but to take a packet capture of the network session it fired on and hand that capture over the government. The government would have to examine that capture and determine whether or not this was really an attack or just a false positive.
If an organization like Google ran one of these systems in front of something like Gmail, for example, the network traffic the system would be examining would mostly consist of people's private email. When the signatures fired, Google would find themselves handing packet captures of people's email over to the federal government for inspection. (Assuming the IPS is deployed behind the SSL decryption layer.)
Presently a number of federal privacy laws prevent Google from sharing your email with Law Enforcement unless Law Enforcement has proper authorization, in many cases including a warrant. However, CISPA eliminates all of these concerns with its "notwithstanding" language. (I think that the Forth Amendment also limits some of what CISPA could be used for but the analysis is beyond my knowledge of the law. I may follow up on this later.)
CIPSA creates a surveillance system in the Internet. The government defines "threats" and sends out signatures that comb through internet traffic looking for those threats. If those threats are discovered, the information is routed back to the government. Under CISPA, the government WILL accidentally encounter private communications that do not represent a cybersecurity threat - false positives.
As CISPA inevitably involves the government reading private email, a difficult problem arises - what if the email isn't a cybersecurity threat, but it is evidence of a murder. Should the analyst who read it just ignore that? I think thats a bit too much to ask. CISPA has been amended to describe when the analyst should and should not ignore the content of the network traffic they are examining:
Under these new restrictions the government will be able to use information shared under CISPA for 1) cybersecurity purposes -- limited more meaningfully by the definitions amendment; 2) for the investigation and prosecution of cybersecurity crimes; 3) "for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm"; and 4) for protecting minors from childpornography, exploitation, trafficking etc.; 5) to protect national security.
Some of these reasons are domestic law enforcement reasons. But what can you do? You can't have intrusion prevention systems without SOME possibility of false positives. You're not going to be able to actually investigate those false positives without being able to look at the network traffic in question. Some of that false positive information is going to involve evidence of unrelated criminal activity. At least this amendment prevents them from using this information to go after pot smokers and file sharers!
However, it becomes a real problem if a signature gets placed in the network that is designed to fire on traffic that is only really interesting for a domestic law enforcement purpose. It becomes a problem if the government uses this system in order to surveil rather than to protect.
This is where the definition of a cybersecurity threat becomes really important. We can't really limit what comes out of the system but maybe we can limit what goes in, so we know they are only looking for the things that we want them to look for.
Fortuantely, the crafters of this law have proposed such an amendment. Unfortunately, I'm not sure that it is narrow enough.
What you really want here are signatures that detect attack activity, signatures that detect malware command and control protocols, and signatures that detect data exfiltration. Unfortuantely, thats not exactly how the amendment defines things:
The new definition lays out four types of threats, the protection against which constitutes a cybersecurity purpose: 1) a vulnerability of a system or network; 2) "a threat to the integrity, confidentiality, or availability" of a network or of the information passing through the network; 3) "efforts to degrade, disrupt, or destroy a system or network" and 4) "efforts to gain unauthorized access," including for the purpose of misappropriating information (presumably including intellectual property).
Information about efforts... Efforts to degrade a system...
Can you use this systems to ferret out private conversations about Anonymous? Could you put a signature out there that fires if it sees a secret code word that members of Anonymous are using to plan a distributed denial of service attack? I think you can, and ultimately, that is surveillance, not network protection.
As important as I think this sort of information sharing is, I think there are some legitimate concerns here that this system could be used as a surveillance system. There probably needs to be more discussion about this before we proceed.