Tag Archives: DNI

CISPA is not SOPA

Posted on 2012-04-09 | 4 Comments

NB: I am a security analyst who works heavily with threat intelligence in the private sector. I do not have an attorney’s license, or even a law degree, and I do not have security clearance. As always, the opinions in this post are mine and nobody else’s. I also will pay no attention to any larger political (read: partisan) implications here, because they have nothing to do with my professional interest in the bill. I also have no idea whether the full House would even take up this bill in an election year; that sort of policy analysis lies far outside my remit.

My codes are perfect

Spock may lay down perfect code but Congress does not

Intro to CISPA

Lately, I’ve seen quite a bit of discussion around HR 3523: Cyber Intelligence Sharing and Protection Act of 2011. Actually, I started paying close attention to it when the EFF (of which I am a member) warned that it could threaten civil liberties. Techdirt also ran an article comparing CISPA to SOPA, the bill that led to a huge backlash across the Internet – including from large players like Google and Wikipedia, among thousands of others.

Some of the criticisms make sense, while others do not. The intent of CISPA has nothing to do with copyright protection, so-called “digital piracy”, file sharing, or the RIAA/MPAA. The bill’s authors have the express intent to enable the sharing of threat intelligence between the government and the private sector: think indicators of compromise, hostile IP addresses, and updated IDS rules, rather than monitoring torrents. Therefore, in my view, criticisms about the bill resembling SOPA don’t hold water, though perhaps (as we’ll see below) the bill could improve by tightening its definitions. So let’s take a look at what the bill actually says. I will do my best to fairly represent the concerns I’ve seen expressed about the bill, but I welcome comment and (courteous) debate from those who hold other opinions. As I have participated in similar programs to share threat intelligence among private firms (primarily in the financial services sector), the US-CERT, and occasionally the US Secret Service, I believe I can speak to the needs of those of us working these issues on the ground every day.

Examination of CISPA

Section 1 only gives the bill its title (commonly shortened to CISPA). Section 2 contains the meat. First, under subsection (a), the sharing program lies under the aegis of the Director of National Intelligence (currently James Clappert). The bill then broadly outlines the sharing and use of classified intelligence, which must be directly linked to “the need to protect the national security of the United States”. The DNI must establish guidelines for clearance of individuals working at firms that use and protect this intelligence. In other words, this subsection mostly revolves around the US government sharing threat intelligence with the private sector.

Subsection (b) starts the fireworks, as it carries the title “Private Sector Use of Cybersecurity Systems and Sharing of Cyber Threat Information”. Paragraph 1 allows “cybersecurity providers” and other organizations to monitor their systems and networks or those of their clients, naturally including threat identification, and then share the resulting threat intelligence with related providers or the government. This already happens to a degree, even outside classified environments.

Paragraph 2 allows the intelligence provider (from the private sector, remember) to anonymize the data or otherwise place restrictions on sharing. In other words, if you want to let others know about an attacker, you don’t need to reveal your own internal architecture to do so, and you can take steps to make sure it doesn’t get released publicly or tied back to you. Also, other organizations can’t use the data for an “unfair competitive advantage”, and the FOIA does not apply to this intelligence. If these latter provisions didn’t exist, then organizations simply won’t want to share useful threat intelligence for fear of disclosure in response to an FOIA request. While this may be controversial from the perspective of some members of the information security community, it certainly doesn’t impinge on our fundamental civil liberties. Paragraph 3 exempts the private sector from liability: if you share threat intelligence data under the provisions of CISPA, or don’t act upon threat intelligence you receive, then you’re not liable for that under this law as long as you acted in good faith. Paragraph 4 also specifies that sharing this intelligence doesn’t satisfy any other requirements (e.g. breach notification laws, responses to subpoenas, etc.)

Subsection (c) requires an annual unclassified report to Congress from the Privacy and Civil Liberties Oversight Board on how well the process works and make related recommendations. Subsection (d) establishes the usual principle of federal preemption, which strikes me as redundant (since the Constitution already makes this clear) but nonetheless doesn’t harm anything. Subsection (e) clarifies that we can all still share threat intelligence under other programs and processes, so Emerging Threats and ThreatExpert have nothing to fear from CISPA.

Subsection (f) contains the definitions that have led to part of the controversy. Primarily:

The term `cyber threat intelligence’ means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from–
(A) efforts to degrade, disrupt, or destroy such system or network; or
(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.

I believe that the phrase “intellectual property” has led to some of the concerns about this bill. Could CISPA allow organizations to share information about, say, file sharing networks with each other and the government? Probably so, although it does so in a way far less invasive than SOPA, as I’ll examine in the next section. (On a side note, I hate how the bill conflates ”vulnerability” and “threat” here, but that’s a very small point.) Clearly, however, organizations want to protect things like business plans, research designs, customer data, and all the other sorts of information we try to secure every day. The definitions also explain the differences between a “certified entity”, “protected entity”, and “self-protected entity”, but these primarily have to do with (a) whether the environment is classified and (b) whether an organization protects its own network or a client’s.

The bill wraps up by instructing the DNI to set up this threat intelligence sharing system within 60 days of enactment and a few legislative housekeeping bits. While that instruction may seem small, that’s where all the real work lies.

Comparison with SOPA

Unlike SOPA, CISPA doesn’t make anything a crime. It doesn’t give any new powers to shut down a site and doesn’t give any instructions to payment or advertising providers. It doesn’t make any reference to the Department of Justice in any way, actually. If anything, it pulls the responsibility for sharing “cyber threat intelligence” away from the DoJ and DHS, who would really like to own this, given their existing role with programs like Infragard (worthless in my personal view) and US-CERT (much better). But that reinforces my key point: this is about intelligence to protect communications and data, not law enforcement. If the authors of CISPA wanted to slide in a law to replace the failure of SOPA, then they would not have attached it to the DNI’s office but to a department that deals with broader criminal matters.

TL;DR: CISPA is not SOPA. This doesn’t make it the best possible program to share threat intelligence, though it does look like a reasonable stab at it. My greatest fear actually has to do with how well US-CERT will cooperate here, as it already performs some of these functions.

I hope this analysis clarifies what CISPA actually does and does not contain. Please feel free to discuss CISPA or threat intelligence sharing in the comments below or ping me on Twitter.

→ 4 Comments

Posted in Notes

Tagged , , ,

Analysis of DNI annual Worldwide Threat Assessment

Posted on 2012-02-02 | Leave a comment

The US Director of National Intelligence, James Clapper, provided his annual Worldwide Threat Assessment to the Senate yesterday (followed by a classified session with, we can surmise, greater detail).

The unclassified portion discusses cybersecurity several times. In fact, the introduction states:

Counterterrorism, counterproliferation, cybersecurity, and counterintelligence are at the immediate forefront of our security concerns.

Notwithstanding the idea that we should consider cybersecurity as a domain and not only a specific activity, I found it useful to see where the policymakers within the US intelligence community see specific concerns. The entire document runs about thirty pages, but over two-thirds of it addresses specific region-by-region and country-by-country concerns. Two pages cover cyber threats and counterintelligence, which for our purposes cover largely similar ground.

The assessment correctly notes that “neither the public nor private sector has been successful at fully implementing best practices.” I’d go a step further, because best practices evolve on both the attack and defense fronts. We don’t even fully implement standard practices: the things we know how to do efficiently and relatively easily. Standard practices, in my mind, constitute a reasonable bar to clear: if practitioners in a given area generally all accept some technology or process as “the way it’s done”, then we shouldn’t excuse anyone doing less than that.

Interestingly, the document first singles out China and Russia as state actors, but then refers to the 2011 NCIX report to specifically blame “entities within these countries”. This means that, although the DNI does not provide specific reasons for attribution in the unclassified report, he does claim that the entities have state sponsorship. The NCIX only said on page 5 of his report that the intelligence community has “not been able to attribute many of these private sector data breaches to a state sponsor.”

The DNI report also notes that governments cannot keep up with tech development and illustrates this by “failed efforts at censoring social media” in the Arab Spring. This should provide an object lesson to US policymakers, though the recent controversies over SOPA, PIPA, and now ACTA indicate that they might not have fully connected the dots.

As a community, we’ve talked for years about addressing the vulnerability problems (including across the entire supply chain), but the DNI also talks about threat in the context of problems regarding warning, detection, and attribution. He recommends greater “US Government engagement” with the private sector. This presents other challenges, though, because we have concerns about transparency versus legitimate secrecy needs (just for starters).

In the section on counterintelligence, the report also links cybersecurity to foreign intelligence service activity. I physically laughed out loud at the assessment that “many intrusions into US networks are not being detected“: understatement of the year. The report here adds Iran to the list of countries undertaking cybersecurity operations against the US. The private sector infosec community, outside of the defense industrial base and Stuxnet, hasn’t really paid much attention to Iran. That could change in 2012, particularly if geopolitical tensions continue to increase there.

I didn’t expect any specific data in this document, given its purpose and classification level. But it could point the way to at least some of the areas that could involve many of us in the next few years, and it certainly is useful in validating the idea that we need to improve our abilities in sharing threat intelligence and incident detection & response.

→ Leave a comment

Posted in Links

Tagged , , , , , , , , , , , , ,