After just reading through the bill for the first time, I agree with most of the criticism that the broadness of the bill creates significant opportunity for misuse.
Unfortunately, if you read the bill with an optimistic view of government, most of the items in the bill are written to seem like common sense and good ideas. If the bill is read with a skeptical eye, one can see how vast the breaches of privacy and abuses of CISPA could reach.
As mentioned, I only just now read the bill, and you appear to be much more educated on it than I, and from reading your comments, you seem very even-keeled on your defense of the bill. I am generally supportive of the purpose and goals of the bill.
It's been hard for me to get clarification on what some of the vagueries and broad language of the bill could actually mean legally due to most articles I read having a strong bias one way or the other.
I'm supportive of information sharing in order to combat and better protect against cyber threats, but if that information sharing is covered by a liability shield (which it almost certainly has to be), it seems like even a benevolent company may err on the side of sharing more information than needed with the government.
As the bill details little about oversight of who gets access to the data and how it will be used, a skeptical and cynical look at this information being in the hands of the government could suggest that this information would be used for profiling or information gathering on US citizens.
I think the broader argument could be "what expectation of privacy do we have on the internet?". I'm not sure where I fall on that issue, but I do wish it was clearer, not necessarily for me, but moreso for folks like my parents that don't truly understand what it means to send information across the internet (encrypted or unencrypted).
The third one is the reason this bill exists. I'll bet you a bitcoin that there is a huge contract waiting for SAIC or similar, and they can't greenlight without pushing this through.
Edit: I guess 'independent' contractors means individuals, I just meant independent of the government. Anyway, that's still my bet. It doesn't have anything to do with small companies needing to share netflows without asking their lawyers every time.
I watched it, but to be honest, I zoned out towards the end. So little substance; just a collection of dinosaurs throwing around the 'cyber' rhetoric like computer security is a game of Risk. They don't know what the hell they're talking about. They just repeat all the buzzwords they get from the literature provided by all the pro-CISPA lobbyists.
I just called my Representative and hope for the best, but I fear these assholes are going to win this round. I will be throwing the EFF some more money next payday though.
This would seem to require figuring out what I think about CISPA, first. I don't feel very strongly about it either way -- slightly positive toward some aspects, slightly negative toward other aspects, but it feels pretty much like a legislative no-op.
Worth noting that 1) the ACLU and others still oppose the bill in modified form, and 2) there was a half-assed veto threat from the WH, and 3) lawmakers view the veto threat as a negotiating ploy.
So I believe this is a done deal -- unless something dramatically changes.
One thing that does not seem to be often discussed is that CISPA data can be used to investigate and prosecute crimes. Specifically, crimes involving harm to minors or serious bodily harm.
No one likes to see adults or minors injured, but this inclusion is at odds with proponents' claim that it CISPA is only "for cybersecurity purposes". Even the House Committee on Intelligence's own FAQ seems to contradict the bill's text in its first entry:
"Serious bodily harm" isn't a term which just covers terrorist acts; it covers things like automobile accidents. One wonders if data collected under CISPA could be used to find and prosecute drunk drivers in a National Park -- hey, it prevents serious bodily harm and it's on Federal property, right?
Other claims that the bill's language is too broad and needs more work:
Talking about protecting minors is usually a good thing to thrown into a dirty bill that can't stand on it's own, as a weak appeal to emotion. Sadly, it works.
This is one of the most concerning issues to me from that FAQ:
Q: Can a company hack a perceived threat under CISPA ("hack back")?
A: CISPA provides companies with immunity "for decisions made based on cyber threat information" as long as they are acting in good faith. But CISPA doesn’t define “decisions made.” Aggressive companies could interpret this immunity to cover "defensive"—and what some would consider offensive—countermeasures like DDOSing suspected intruders, third parties, or even innocent users. Private defense contractors have already advocated for this power. These actions should not be allowed by such expansive wording. It leaves the bill ripe for abuse.
So, corporations can effectively DDoS other servers now, without legal repercussion, as long as it was in 'good faith'. How does one evaluate 'good faith' in a court room? If I'm a small company with a website, and some major corporation attacks me and knocks my site offline because the attacker who attacked them spoofed the IP address with my website's address, are they off the hook because their attack was in 'good faith'?
To me, I get the feeling that CISPA is about more than violating privacy (although it does that in spades), but also legitimatizing the militarization of the Internet.
I don't know what to think about the "hack-back" controversy.
On the one hand, the idea that there could ever be federal authorization for "hacking back" at any target is preposterous. The result would be chaos. Attackers would almost certainly invest effort in tricking the service providers dumb enough to do it into striking innocent networks, or, better yet, into striking out at other providers who themselves would launch "hack-back" efforts --- you know, this is starting to sound awesome --- and in reality no company with a lawyer on staff, retainer, or in the phone book would ever allow their team to do such a thing, CISPA or no CISPA.
On the other hand, if just one company is dumb enough to misread the law as providing authorization and tort immunity from running attack code on their imagined attackers, that's probably a very good reason to amend the bill.
I watched for a little while but when you're watching the political equivalent of paint drying its hard to remain interested after a while. I see quite a few things passed, lets hope the White House follows through with their veto threats. With the appropriate amends required to make this bill less broad, it wouldn't be nearly as bad. The scary about about this bill is for some reasons the amends weren't made which leads me to believe there are ulterior motives of those in support of this bill yet to be revealed until it's too late.
I thought the veto was because the bill was too lenient on companies.
"However, the Administration is concerned about the broad scope of liability limitations in H.R. 624. Specifically, even if there is no clear intent to do harm, the law should not immunize a failure to take reasonable measures, such as the sharing of information, to prevent harm when and if the entity knows that such inaction will cause damage or otherwise injure or endanger other entities or individuals." [http://news.cnet.com/8301-13578_3-57579905-38/obama-threaten...]
In other words, that corporations should be punished for not providing information.
Unfortunately, if you read the bill with an optimistic view of government, most of the items in the bill are written to seem like common sense and good ideas. If the bill is read with a skeptical eye, one can see how vast the breaches of privacy and abuses of CISPA could reach.