Cyber security Trojan horse pushed through Senate

[Michael K.]

In the name of confronting 'cyber terrorism' the US Senate voted away the government's power to hold corporations liable for harm done to citizens by sharing hitherto privileged confidential information with peers.  In addition, the bill assigns the government the job of imposing draconian punishment on those who hack corporations, wherever in the world they may live.

http://www.truth-out.org/news/item/33460-us-senate-passes-cisa-a-cybersecurity-bill-critics-say-will-expand-mass-surveillance

The landslide Senate vote in favor of the Cybersecurity Information Sharing Act, or CISA, came after multiple attempts spanning five years to pass similar legislation under different names. Called CISPA in a former incarnation, the bill also drew on the highly controversial "cyber" legislation before it: SOPA and PIPA.

Some of the tech companies that have raised concerns about CISA include Google, Apple, Microsoft and Oracle. CISA sponsor Senator Richard Burr addressed those companies specifically ahead of Tuesday's vote, saying "Do not try to stop this legislation and put us in a situation in that we ignore the fact that cyber attacks are going to happen with greater frequency for more individuals, and that the sooner we learn how to defend our systems, the better off personal data is in the United States of America."

The stated purpose of CISA is to allow companies to share information in real time about perceived hacking threats, but critics of the bill warn it's a legal framework for mass surveillance in cybersecurity clothing.

"In particular, CISA seems like it offers the opportunity for companies to engage in PRISM-like practices without a risk of being called to task for the privacy invasions that are a result," explains technologist Daniel Kahn Gillmor, a fellow at the American Civil Liberties Union's Speech, Privacy and Technology Project. He says that information-sharing already occurs at a certain level to monitor and mitigate threats to networks, but the type of data sharing across networks with varying security protocols called for in CISA would actually make data more vulnerable.

"By encouraging a wide spread of potentially large amounts of information, it allows and encourages the establishment of not only the sort of spying apparatus that really has no business being in place in a democratic society, but it decreases cybersecurity by putting the data that is shared even more at risk that it was in the first place," explains Gillmor.

Ahead of Tuesday's vote, Senate supporters of the bill pushed the point that participation in the information-sharing program is voluntary. But companies that do choose to join can take advantage of an attractive incentive: liability protection.

CISA "provides that two competitors in a market can share information on cyber threats with each other without facing anti-trust suits," says California Senator Dianne Feinstein. "It provides that companies sharing cyber threat information with the government for cybersecurity purposes will have liability protection."

CISA critics say that liability protection could keep companies with already bad digital security practices from improving their protocols. Then there's the issue of oversight.

"This has none of the oversight that the already pathetic, inadequate overseeing programs that the NSA and FBI currently do -  none of the oversight, none of the ability for a defendant to ultimately challenge the collection of this data," says independent journalist and researcher Marcy Wheeler. "And it's going to get a lot more content from Americans, which is illegal, according to a Supreme Court ruling."

Oversight would fall to inspectors general within the agencies, who - when they do find issue with a program - tend to act slowly, if ever.

Wheeler says companies can also use reports of perceived network intrusions or hacking as a sort of "get out of regulatory action free" card: "For example, Chrysler was exposed to have, you know, that their cars could be hacked remotely. If Chrysler had just gone to NHTSA, to the National Highway Traffic Safety Administration, and given them that data from the start, NHTSA would not have been able to force a recall, which is what NHTSA ended up doing. So this actually takes tools out of the government's hands to force corporations to do what they need to do. And they're doing it...Congress is doing it just to bribe corporations to spy on their customers for the government. That's the arrangement that is happening here."

But while the measure encourages information sharing in some sectors, it restricts it in others.

CISA significantly weakens the Freedom of Information Act and puts decision-making power on FOIA requests into the hands of the Senate Intelligence Committee, the same body where current CISA legislation originated.

Before it can go to the president's desk and become law, CISA must now go back to the House of Representatives for conference, so legislators can consolidate the Senate bill with the House version passed earlier this year.

http://www.theguardian.com/technology/2015/oct/22/cybersecurity-cisa-bill-amendment-foreign-nationals

An amendment to a controversial cybersecurity bill will allow US courts to pursue and jail foreign nationals even if the crimes they commit are against other foreigners and on foreign soil.

The main aim of the amendment to the Cybersecurity Information Sharing Act (Cisa), which passed a key Senate hurdle on Thursday, is to lower the barrier for prosecuting crimes committed abroad. But the amended law would make it a crime punishable by US prison time not merely to clone the credit card or steal the Netflix password of an American citizen, but to take unauthorized information from any American company, no matter where it happens.

In other words, if a French national hacks a Spanish national's MasterCard, she could be subject to 10 years in US prison under laws changed by the bill.

The law has already attracted heavy criticism from American privacy advocates. The Electronic Frontier Foundation points out that the computer fraud laws that would be broadened by Cisa were used to prosecute the late founder of Demand Progress, Aaron Swartz, for downloading articles from JSTOR, the digital library of academic journals.

The amendment was proposed by Sheldon Whitehouse, a Democratic senator from Rhode Island. "The White House folks have been pretty clear that that's what they're trying to do, ease prosecutions for trafficking when the assets are held abroad," said Gabe Rottman, legislative counsel and policy advisor for the American Civil Liberties Union (ACLU).

Cisa's stated purpose is to create a reporting system for private industry allowing any company with a digital record of consumer behavior to send "cyber threat indicators" to the Department of Homeland Security. DHS is then required to pass the information on the FBI and the director of national intelligence, to whom the director of the CIA reports. The DHS has come out against the bill, arguing it could sweep away "important privacy protections". Cisa is also facing mounting pressure from tech companies, which have called for it to be rewritten or scrapped.

The bill would also block any disclosures, with specific mention of the Freedom of Information Act, about what information had been shared.