NB: I am a security analyst who works heavily with threat intelligence in the private sector. I do not have an attorney’s license, or even a law degree, and I do not have security clearance. As always, the opinions in this post are mine and nobody else’s. I also will pay no attention to any larger political (read: partisan) implications here, because they have nothing to do with my professional interest in the bill. I also have no idea whether the full House would even take up this bill in an election year; that sort of policy analysis lies far outside my remit.
Intro to CISPA
Lately, I’ve seen quite a bit of discussion around HR 3523: Cyber Intelligence Sharing and Protection Act of 2011. Actually, I started paying close attention to it when the EFF (of which I am a member) warned that it could threaten civil liberties. Techdirt also ran an article comparing CISPA to SOPA, the bill that led to a huge backlash across the Internet – including from large players like Google and Wikipedia, among thousands of others.
Some of the criticisms make sense, while others do not. The intent of CISPA has nothing to do with copyright protection, so-called “digital piracy”, file sharing, or the RIAA/MPAA. The bill’s authors have the express intent to enable the sharing of threat intelligence between the government and the private sector: think indicators of compromise, hostile IP addresses, and updated IDS rules, rather than monitoring torrents. Therefore, in my view, criticisms about the bill resembling SOPA don’t hold water, though perhaps (as we’ll see below) the bill could improve by tightening its definitions. So let’s take a look at what the bill actually says. I will do my best to fairly represent the concerns I’ve seen expressed about the bill, but I welcome comment and (courteous) debate from those who hold other opinions. As I have participated in similar programs to share threat intelligence among private firms (primarily in the financial services sector), the US-CERT, and occasionally the US Secret Service, I believe I can speak to the needs of those of us working these issues on the ground every day.
Examination of CISPA
Section 1 only gives the bill its title (commonly shortened to CISPA). Section 2 contains the meat. First, under subsection (a), the sharing program lies under the aegis of the Director of National Intelligence (currently James Clappert). The bill then broadly outlines the sharing and use of classified intelligence, which must be directly linked to “the need to protect the national security of the United States”. The DNI must establish guidelines for clearance of individuals working at firms that use and protect this intelligence. In other words, this subsection mostly revolves around the US government sharing threat intelligence with the private sector.
Subsection (b) starts the fireworks, as it carries the title “Private Sector Use of Cybersecurity Systems and Sharing of Cyber Threat Information”. Paragraph 1 allows “cybersecurity providers” and other organizations to monitor their systems and networks or those of their clients, naturally including threat identification, and then share the resulting threat intelligence with related providers or the government. This already happens to a degree, even outside classified environments.
Paragraph 2 allows the intelligence provider (from the private sector, remember) to anonymize the data or otherwise place restrictions on sharing. In other words, if you want to let others know about an attacker, you don’t need to reveal your own internal architecture to do so, and you can take steps to make sure it doesn’t get released publicly or tied back to you. Also, other organizations can’t use the data for an “unfair competitive advantage”, and the FOIA does not apply to this intelligence. If these latter provisions didn’t exist, then organizations simply won’t want to share useful threat intelligence for fear of disclosure in response to an FOIA request. While this may be controversial from the perspective of some members of the information security community, it certainly doesn’t impinge on our fundamental civil liberties. Paragraph 3 exempts the private sector from liability: if you share threat intelligence data under the provisions of CISPA, or don’t act upon threat intelligence you receive, then you’re not liable for that under this law as long as you acted in good faith. Paragraph 4 also specifies that sharing this intelligence doesn’t satisfy any other requirements (e.g. breach notification laws, responses to subpoenas, etc.)
Subsection (c) requires an annual unclassified report to Congress from the Privacy and Civil Liberties Oversight Board on how well the process works and make related recommendations. Subsection (d) establishes the usual principle of federal preemption, which strikes me as redundant (since the Constitution already makes this clear) but nonetheless doesn’t harm anything. Subsection (e) clarifies that we can all still share threat intelligence under other programs and processes, so Emerging Threats and ThreatExpert have nothing to fear from CISPA.
Subsection (f) contains the definitions that have led to part of the controversy. Primarily:
The term `cyber threat intelligence’ means information in the possession of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, a system or network of a government or private entity, including information pertaining to the protection of a system or network from–
(A) efforts to degrade, disrupt, or destroy such system or network; or
(B) theft or misappropriation of private or government information, intellectual property, or personally identifiable information.
I believe that the phrase “intellectual property” has led to some of the concerns about this bill. Could CISPA allow organizations to share information about, say, file sharing networks with each other and the government? Probably so, although it does so in a way far less invasive than SOPA, as I’ll examine in the next section. (On a side note, I hate how the bill conflates ”vulnerability” and “threat” here, but that’s a very small point.) Clearly, however, organizations want to protect things like business plans, research designs, customer data, and all the other sorts of information we try to secure every day. The definitions also explain the differences between a “certified entity”, “protected entity”, and “self-protected entity”, but these primarily have to do with (a) whether the environment is classified and (b) whether an organization protects its own network or a client’s.
The bill wraps up by instructing the DNI to set up this threat intelligence sharing system within 60 days of enactment and a few legislative housekeeping bits. While that instruction may seem small, that’s where all the real work lies.
Comparison with SOPA
Unlike SOPA, CISPA doesn’t make anything a crime. It doesn’t give any new powers to shut down a site and doesn’t give any instructions to payment or advertising providers. It doesn’t make any reference to the Department of Justice in any way, actually. If anything, it pulls the responsibility for sharing “cyber threat intelligence” away from the DoJ and DHS, who would really like to own this, given their existing role with programs like Infragard (worthless in my personal view) and US-CERT (much better). But that reinforces my key point: this is about intelligence to protect communications and data, not law enforcement. If the authors of CISPA wanted to slide in a law to replace the failure of SOPA, then they would not have attached it to the DNI’s office but to a department that deals with broader criminal matters.
TL;DR: CISPA is not SOPA. This doesn’t make it the best possible program to share threat intelligence, though it does look like a reasonable stab at it. My greatest fear actually has to do with how well US-CERT will cooperate here, as it already performs some of these functions.
I hope this analysis clarifies what CISPA actually does and does not contain. Please feel free to discuss CISPA or threat intelligence sharing in the comments below or ping me on Twitter.