Friday, May 25, 2012

So, What Is All This CISPA That You Have Been Hearing About?


By Charlotte Walden


On April 26, 2012, the U.S. House of Representatives passed an amendment, called the Cyber Intelligence Sharing and Protection Act or CISPA, to the National Security Act of 1947  (Tsukayama, 2012). If passed, CISPA will allow private corporations and the government to share certain types of information with one another  (Tsukayama, 2012). As of this blog, CISPA is now going through the Senate (Tsukayama, 2012).



If CISPA passes the Senate, and after undergoing a process to ensure both houses have passed identical legislation, President Obama has indicated that, at presentment, he will veto the amendment (Knox,  2012). However, article one section seven of the U.S. Constitution allows both houses to override the president’s veto by a 2/3rds majority vote. So, even with Obama's veto, there is still a possibility that CISPA could become law.

This should be disconcerting to librarians who value the free sharing of uncensored information.  If passed, CISPA could create a disincentive for people who want to share certain types of information over the Internet. For instance, as the reader will learn from these blogs, the information governed by CISPA is exempt from many public disclosure and privacy laws. This means that the public will not know whether or not the information they shared on the Internet has been shared with the federal government. In addition to lack of public disclosure and privacy, vague definitions also offer little guidance as to what kinds of information will trigger CISPA. Likewise, CISPA offers little to no legal remedy if the federal government or a private corporation uses certain types of information in a way that is not authorized by CISPA. Thus, if the public fears that:



1.     they will end up on a government watch list because they are unsure if their information will trigger CISPA,
2.     they will have no way of knowing if their information has ended up on such a watch list, and
3.     they will have little legal recourse for a wrong committed by the government or a private corporation, then
4.     the public will likely become more restrictive on the information they choose to share on the Internet.

If the public is more restrictive on what they chose to share on the Internet, CISPA will likely have a censoring effect on the information that is made available on the Internet.

By using direct language from CISPA as it now appears, this blog will show the reader how CISPA works. Additionally, this blog will show the reader why some groups protest CISPA while others praise it.

Due to the size of the information that has been gathered for this topic, this blog will consist of multiple parts. The first part will show how corporations, like Google or Facebook, could, on a voluntary basis, share your information with the federal government. The second part will inform the the reader what kind of information will be governed under CISPA, as well as the limitations CISPA places on the use of that information. Finally, the last blog will show the reader how CISPA allows the federal government to share certain types of information with other federal agencies, as well as show the reader how CISPA offers little legal recourse. 


All right, let’s get started and ask:

I. What Part of CISPA Allows Private Corporations and the Federal Government To Share Information?


Under section 1104 (a)(2)(A)(i-ii), CISPA states that only certified entities or persons with appropriate security clearance may share classified cyber threat intelligence.

Great. But do you know who or what a certified entity is? Do you know what cyber threat intelligence means? Thought so.  Let’s break it down.


1. Cyber Threat Intelligence

According to section 1104 (h)(5), cyber threat intelligence “means intelligence in the possession of an element in the intelligence community directly pertaining to:


               (i)        a vulnerability of a system or network of a government or private entity;
            
               (ii)     a threat to the integrity, confidentiality, or availability of a system or network of a government or private entity or any information stored on, processed on, or transiting such a system or network;

               (iii)    efforts to deny access to or degrade, disrupt, or destroy a system or network of a government or private entity; or

               (iv)    efforts to gain unauthorized access to a system or network of a government or private entity, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network of a government or private entity. 
2. Certified Entity


A visualization of the certified entity definition.

A certified entity, according to section 1104 (h) (2), means “a protected entity, self-protected entity, or cyber security provider


             
              A.    gets security clearance from the Director of National Intelligence, AND
              B. can demonstrate to the Director that they can protect classified cyber threat intelligence





a.     Cybersecurity Provider


Section 1104 (h)(7) says a “cybersecurity provider means a non-governmental entity that provides goods or services intended to be
used for cybersecurity purposes.”
·      (. . . and as if that wasn’t enough) Cybersecurity purposes “means the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network, including protecting a system or network from—
                      i.         a vulnerability to a system or network a threat to the integrity,
                     ii.         confidentiality, or availability of a system or network or any information stored on,processed on, or transiting such a system or network;
                   iii.         efforts to deny access to or degrade, disrupt, or destroy a system or network; OR  
                    iv.         efforts to gain unauthorized access to a system or network, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network.”

                    
b.    Protected Entity

Section 1104 (h)(11) says a protected entity “means an entity, other than an individual, that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes.

c.     Self-Protected Entity

Section 1104 (h)(12) says “a self- protected entity means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.”

All right, folks, with all those words, do you know who is authorized to share cyber security intelligence (i.e. who a certified entity is) under CISPA?

Need a hint?

Well, as some point out, the definition of a cybersecurity provider (which is also a certified entity) most likely includes corporations like Symantec, Norton Anti-Virus, and the like (Westervelt, 2012). However, as others point out, this definition could include so much more. “For example,” as one blogger wrote, “Google and Microsoft offer [some form of cyber security service with their] productivity apps for email, word processing, spreadsheets, and so forth.” (Samson, 2012). “[Additionally], [a]n ISP such as Verizon or AT&T protects your data as it travels in and out of your network” (Samson, 2012). Thus, by definition, Google, Verizon, Facebook, and others could be certified entities. Yet, a certified entity is also someone who contracts with a cybersecurity provider (a protected entity) or provides cybersecurity purposes to itself (a self-protected entity). Thus, some have argued that, contrary to the quote above, Google and Facebook would fall under the self-protected entity sub-definition (Sottek, 2012).

Regardless, of which sub-definition they fall under, it is likely that companies such as Google and Facebook, as long as the Director of National Intelligence grants them the okay, would be considered a certified entity under CISPA. As it just so happens, Facebook, who vehemently opposed SOPA and PIPA earlier this year, is one of CISPA’s big supporters (Kaplan, 2012). More on that later…

All right, so now that we have some idea about who these certified entities might be, one must ask who these entities are allowed to share cyber threat information with?

II. The Federal Government, Voluntarily


Section 1104 (b)(1)(A)(ii) of CISPA states that a cybersecurity provider (which is a certified entity, remember) has the discretion to share cyber threat information, with the consent of a protected entity, with the Federal Government for National Security purposes.

Additionally, section 1104(b)(1)(B)(ii) states that self-protected entities may also share cyber threat information with the Federal Government for cyber security purposes.

By the way, for those who noticed the change in terms, the only difference between cyber threat information and cyber threat intelligence is that the former refers directly to the information itself [section 1104(h)(4)], while the latter only refers to the possession of such information [section 1104 (h)(5)].  Otherwise, both definitions are basically word for word.

So, with the language that is going through the Senate right now, CISPA sets up a voluntary sharing of cyber threat information between the Federal Government and certified entities, which could include Facebook, Google, and many others. Since this is a voluntary sharing, CISPA notes that certified entities will not be  liable for not participating in CISPA (see section 1104 (g)(5) of CISPA). Additionally, CISPA also states, nothing in the bill will be construed as requiring certified entities to share cyber threat information with the government (see section 1104(c)(3)). 

All right, that is all for today. Stayed tuned for more blogs that will show how CISPA allows your information, if it is deemed to be a cybersecurity threat, to be shared amongst federal agencies. The next blogs will also discuss limitations, liability exemptions, legal recourse, and CISPA’s relation to other privacy laws. Later blogs will also reveal why some groups oppose CISPA, while other groups support it. Until next time, ta ta.     

References

Kaplan, J. (2012, April 13). A message about CISPA. (Facebook post). Retrieved from http://www.facebook.com/notes/facebook-washington-dc/a-message-about-cispa/10150723305109455.

Knox, O. (2012, April 6). CISPA cybersecurity bill gets veto threat from Obama. ABC news. Retrieved from http://abcnews.go.com/Politics/OTUS/cispa-cybersecurity-bill-veto-threat-obama/story?id=16214940#.T8A4AL8087A

Samson, T. (2012, April 30). Why CISPA could kill the cloud. (web blog). InfoWorld. Retrieved from http://www.infoworld.com/t/cloud-computing/why-cispa-could-kill-the-cloud-192014

Sottek, T.C. (2012, April 27). The Cyber Intelligence Sharing and Protection Act Explained. Retrieved from http://www.theverge.com/2012/4/27/2976718/cyber-intelligence-sharing-and-protection-act-cispa-hr-3523 

Tsukayama, H. (2012, April 27). Cispa passes the House, privacy battle moves to the Senate. The Washington Post. Retrieved from http://www.washingtonpost.com/blogs/post-tech/post/cispa-passes-the-house-privacy-battle-moves-to-senate/2012/04/27/gIQA7cJBlT_blog.html

Westervelt, R. (2012, April 27). CISPA intelligence information sharing bill passes house, headed to senate. (web blog).  IT Knowledge Exchange. Retrieved from http://itknowledgeexchange.techtarget.com/security-bytes/cispa-intelligence-information-sharing-bill-passes-house-headed-to-senate/

Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)