Simple Question: What Cyberattack Would The New Cybersecurity Bill Have Stopped?

from the until-you-can-answer-that... dept

Aside from its redundancy, the Senate Intelligence bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures (now called "defensive measures" in the bill) for a "cybersecurity purpose" against a "cybersecurity threat." "Cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system. Even with the changed language, it's still unclear what restrictions exist on "defensive measures." Since the definition of "information system" is inclusive of files and software, can a company that has a file stolen from them launch "defensive measures" against the thief's computer? What's worse, the bill may allow such actions as long as they don't cause "substantial" harm. The bill leaves the term "substantial" undefined. If true, the countermeasures "defensive measures" clause could increasingly encourage computer exfiltration attacks on the Internet—a prospect that may appeal to some "active defense" (aka offensive) cybersecurity companies, but does not favor the everyday user. Second, the bill adds a new authority for companies to monitor information systems to protect an entity's hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Last week, the Senate Intelligence Committee voted (in secret, of course) to approve a new cybersecurity bill , dubbed CISA (as it was in the last Congress), though it kept the content of the actual bill secret until this week. The only Senator who voted against it was... Senator Wyden, of course, who rightly pointed out that this bill is "not a cybersecurity bill – it’s a surveillance bill by another name."The good folks over at the EFF have a rundown on why the bill is terrible Also, the bill goes away from previous cybersecurity bills that put Homeland Security in charge (which, by itself, isn't great, but DHS is the best option if you're debating between DHS, the NSA and the FBI). While the information still goes to DHS under this bill, DHS doesn't then get to parse through it and figure out where it goes. Instead, the info needs to be shared "in real time" with the NSA. All of which just gives weight to the fact that this is a surveillance bill, not a bill to protect against "cybersecurity attacks."But if you want to know the single biggest reason why this bill is bogus: ask those supporting it what cybersecurity attack this bill would have stopped. And you'll notice they don't have an answer. That's because it's not a cybersecurity bill at all. It's just a bill to try to give the government more access to your user info.

Filed Under: cisa, cybersecurity, dhs, information sharing, nsa, ron wyden, senate intelligence committee, surveillance