Sure. What's the alternative? What did you think happened when law enforcement investigated serious computer crimes? If a financial institution has a key database popped and the Secret Service is called in to investigate, was it your expectation that the victim was required to carefully anonymize and blind all the data in that database? How could any criminal investigation work if that was the requirement? (Cliff's Notes: That's not the requirement).
The bill as written, even before the narrowing amendments, acknowledges the risk this subthread discusses. It does that by trying to define "cyber threat information", as information directly implicated in an attack. In the sponsor's notes on the bill on the House site, they explain that the definition of "protected entity" was changed specifically to prevent individual people from being considered as entities, so that person-specific data couldn't be handed over under CISPA authority.
The basic problem the bill addresses is this: large companies are under continuous attack. Let's stipulate that attacks come in two flavors: DDOS and targeted malware.
In both cases, there is clear utility in allowing companies to collaborate with other companies and with the government.
In the DDOS case, you want to share NetFlow information with your upstream ISPs and with DDOS trackers, because those are the organizations that generate black-hole and IP filtering rules, and they all work better if they have lots of different vantage points to work from. At the very least, you want to push sources back up to your immediate upstream providers so they can soak them up on their infrastructure rather than saturating your uplinks.
In the malware case, you want to share forensic information that would help identify (a) the vulnerability the malware exploits, (b) the C&C system the malware is using, (c) any evidence of the source of the malware, and (d) forensic information that would help investigators discern the intent of the malware.
In both cases, your company's general counsel is apt to inform you that the legal risk of sharing just that information is potentially unbounded, because nobody can predict exactly what claims could be made under ECPA, SCA, DPPA, HIPAA, FERPA, &c; nobody even knows what traces of information, overt or statistical, might be lurking in NetFlow.
So the situation we have today is that there is information sharing when attacks happen, but much of it is sub rosa, and you have to be in the right clubs to get access to the right sharing networks.
It does not make intuitive sense to me that electronic privacy should mean that basic low-level systems information incident to a real attack should incur unbounded legal risk when shared with other companies directly involved in mitigating those attacks.
You might disagree, and that's fine. But the notion that CISPA is actually intended to allow NSA to read your email is just not supported by the language of the bill, by any advocacy for the bill, or by any of the bill's amendments, and the problem the bill is addressing is a real problem (I have some limited professional exposure to it).
One alternative is to limit CISPA to law enforcement receiving the information rather than the National Security Agency and other arms of the defense-intelligence apparatus. But that amendment failed by a 4-14 vote this week.
May I assume that you'll publicly oppose CISPA if it continues to advance without that amendment? :)
Also, regarding your claims that person-specific data can't be handed over, a separate amendment requiring that failed by a 4-16 vote. So it will be able to be shared with the NSA.
BTW, I'm not arguing that there are not real problems arising from attacks that large companies, and even smaller companies, face. The question is what to do about it, and whether CISPA remains the best vehicle.
The bill as written, even before the narrowing amendments, acknowledges the risk this subthread discusses. It does that by trying to define "cyber threat information", as information directly implicated in an attack. In the sponsor's notes on the bill on the House site, they explain that the definition of "protected entity" was changed specifically to prevent individual people from being considered as entities, so that person-specific data couldn't be handed over under CISPA authority.
The basic problem the bill addresses is this: large companies are under continuous attack. Let's stipulate that attacks come in two flavors: DDOS and targeted malware.
In both cases, there is clear utility in allowing companies to collaborate with other companies and with the government.
In the DDOS case, you want to share NetFlow information with your upstream ISPs and with DDOS trackers, because those are the organizations that generate black-hole and IP filtering rules, and they all work better if they have lots of different vantage points to work from. At the very least, you want to push sources back up to your immediate upstream providers so they can soak them up on their infrastructure rather than saturating your uplinks.
In the malware case, you want to share forensic information that would help identify (a) the vulnerability the malware exploits, (b) the C&C system the malware is using, (c) any evidence of the source of the malware, and (d) forensic information that would help investigators discern the intent of the malware.
In both cases, your company's general counsel is apt to inform you that the legal risk of sharing just that information is potentially unbounded, because nobody can predict exactly what claims could be made under ECPA, SCA, DPPA, HIPAA, FERPA, &c; nobody even knows what traces of information, overt or statistical, might be lurking in NetFlow.
So the situation we have today is that there is information sharing when attacks happen, but much of it is sub rosa, and you have to be in the right clubs to get access to the right sharing networks.
It does not make intuitive sense to me that electronic privacy should mean that basic low-level systems information incident to a real attack should incur unbounded legal risk when shared with other companies directly involved in mitigating those attacks.
You might disagree, and that's fine. But the notion that CISPA is actually intended to allow NSA to read your email is just not supported by the language of the bill, by any advocacy for the bill, or by any of the bill's amendments, and the problem the bill is addressing is a real problem (I have some limited professional exposure to it).