On April 18, 2013, the US House of Representatives passed the Bill H.R. 624, also known as the Cyber Intelligence Sharing and Protection Act (CISPA). An earlier version of the bill had been passed already by the US HR, but did not pass the Senate (for earlier analysis of the Bill, see here).
When reading the new version of CISPA, it would be easy to dismiss it as mostly hot air about intelligence agencies sharing information with one another. It is true that the first half of the bill is dedicated to creating mechanisms that will coordinate between the Department of Homeland Security and other government offices with regards to cybersecurity data. The fun begins with Section 3 on Cyber threat intelligence and information sharing. Sec. 1104(1) reads:
(1) IN GENERAL- The Director of National Intelligence shall establish procedures to allow elements of the intelligence community to share cyber threat intelligence with private-sector entities and utilities and to encourage the sharing of such intelligence.
This sets the procedure for intelligence agencies to give information to the private sector in order to make them aware of some “cyber threat”. But what xactly is a cyber threat? According to the bill, it is:
“(A) IN GENERAL- The term ‘cyber threat intelligence’ means intelligence in the possession of an element of the intelligence community directly pertaining to–
‘(i) a vulnerability of a system or network of a government or private entity or utility;
‘(ii) a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or utility or any information stored on, processed on, or transiting such a system or network;
‘(iii) efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity or utility; or
‘(iv) efforts to gain unauthorized access to a system or network of a government or private entity or utility, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity or utility.”
This is terribly broad, it puts in the same category a relatively harmless DDoS attack, and serious international cyber-spying by means of gaining access to a computer.
CISPA is also very broad about the types of private entities that will be subject of communication from intelligence agencies. There are three types of private enterprises covered by the Bill:
“CYBERSECURITY PROVIDER- The term ‘cybersecurity provider’ means a non-Federal entity that provides goods or services intended to be used for cybersecurity purposes.[…]
PROTECTED ENTITY- The term ‘protected entity’ means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.[…]
SELF-PROTECTED ENTITY- The term ‘self-protected entity’ means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.”
“Cyber-security purposes” are also broadly defined, almost in identical fashion to cyber-threat intelligence. These definitions cover pretty much any Internet intermediary service, from anti-DDoS cloud providers, to any company with a firewall and antivirus installed. It is as strike of inspired legislative drafting that manages to make such broad provisions sound so narrow.
The icing on the cake is the fact that private enterprises will have no other recourse but to comply with this intelligence collaboration, because if they do so, they are immune from prosecution. The Bill reads:
“‘(A) EXEMPTION- No civil or criminal cause of action shall lie or be maintained in Federal or State court against a protected entity, self-protected entity, cybersecurity provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, acting in good faith–
‘(i) for using cybersecurity systems to identify or obtain cyber threat information or for sharing such information in accordance with this section; or
‘(ii) for decisions made for cybersecurity purposes and based on cyber threat information identified, obtained, or shared under this section.
‘(B) LACK OF GOOD FAITH- For purposes of the exemption from liability under subparagraph (A), a lack of good faith includes any act or omission taken with intent to injure, defraud, or otherwise endanger any individual, government entity, private entity, or utility.”
The above pretty much compels all intermediaries to share any sort of information they may have on their customers if it is deemed by some obscure intelligence agency that the subject might be engaged in some cyber threat, which is also broadly defined.
To translate from Legalese to Plain English, CISPA allows US intelligence agencies to contact practically any private provider of information technology services to ask them to snoop on their customers if there is suspicion that they may be engaged in an online activity that could be considered threatening, which includes anything from whistleblowing to participation in a DDoS protest. The intermediary will have to comply, as this is the only way in which they will be exempt from criminal and/or civil liability. In other words, spy for us, or else.
Why should people outside of the US care about CISPA? Because a vast majority of people in the world employ a US company one way or another. This includes:
- Hosting: 83% of the world’s content is hosted in the US.
- Cloud providers: The top 10 cloud provider are based in the US.
- Domain name registries: The United States is the country with the most domain names registered under its jurisdiction.
- Email: Top 4 webmail providers are based in the US (Microsoft, Yahoo, Google and AOL).
This does not even consider other services, such as VPN providers, anonymisers, browsers… anything that can be considered a self-protected entity could be covered by CISPA.
So make your voice heard and try to help defeat this nefarious piece of legislation.