This would allow the USG, which operates the largest IT department in the world and the largest computer security team in the world, to share malware samples and vulnerability data with private companies, instead of the current state of affairs, where we can safely presume the USG often must sit back and watch as people get owned up by attacks they've been aware of for months.
That sounds extremely difficult to buy. Does there really not exist any legal avenue in which USG could hand over the pertinent data to the authorities? Why is it that Google (as it has claimed) can hand over thousands of e-mail accounts' contents to various 3-letter agencies but USG cannot hand over samples of malware.
Because malware and attack signature might be classified depending on how they were collected.
In the general case, I really wish we could agree to not try to argue factual or legal matters according to vague notions of "common sense." I feel like a lot of these types of discussions on HN quickly devolve into one person stating a fact, and the other person saying "that doesn't seem right." Lots of things that are factually true don't match your or my conceptions of how the world should work.
Google hands over email addresses based on court orders and
(less frequently) warrants.
So, the authorities have the resources to request user data by the numbers 14,000 and above from just Google alone for Gmail accounts [1]... and you're telling me we need more cyber security bills to make it even easier for them. Don't you think they already have it easy enough? I'm still skeptical about your claim that presently there exist no means for USG to legally hand over malware samples to the authorities in existing legal frameworks. Can you provide some citation that talks about this?
[1] http://www.google.com/transparencyreport/userdatarequests/ -- it should be noted that Google complies with the requests a majority of times. Also, it is reasonable to assume that it is mostly American gov't agencies who make up for most of the requests.
Even if you think it is, you're not addressing the concern, which is that regardless of what the situation is with user data, it is difficult for private companies to share operational intel with the USG, and even more difficult for the USG to share operational intel out.
Argh, you're describing two entirely unrelated scenarios. And tptacek has explained this many many times already; I've read half a dozen explanations by him in HN comments in the last 3 days alone. Disagree with his suggestions for what we ought to do, sure, but at least try to understand what's going on before you make snippy comments.
If the USG thinks John Doe is a criminal, they can go after his data via various avenues, including warrants, subpoenas, NSLs, blah blah. This is one situation.
A separate situation is that Google thinks there is crime afoot, and wants to report it, but they cannot meaningfully give any information to law enforcement because of privacy laws.
It's like if your business got burgled, and you let the cops into your business to collect evidence, and while doing their job there they find out that John Doe is one of your customers, and that he visited your shop on July 9th, or something, and now you committed a crime for letting the cops know about John Doe.
I'm not saying CISPA is a good idea or a bad idea. (And I think various people have raised some legitimate concerns.) I'm saying that you should try to understand what it's permitting; it's not giving the USG new abilities to force their way in to read user data, it's giving victims of crime permission to take certain actions to fight crime. (Maybe we shouldn't give them those permissions, though.)
And by the way, it might be reasonable to make assumptions about how many of those transparencyreport requests are USG agencies... EXCEPT that the same *@$% page you linked has actual numbers, that prove your assumption wrong. In the most recent 6-month reporting period, 21,389 total requests, 8,438 of them (40%) from the USG.
Because the tempo of incidents in a real security response practice is very high, orders of magnitude more than the temp of criminal investigations.
This is one of those places where I'd suggest you want to be careful what you wish for. Here's why:
If we can generally agree that there is a kind of operational network security data that should reasonably be shareable --- say, Netflow records corresponding to a DDoS in progress --- and that data is routinely generated, then requiring a court order to share it routinizes the court order process.
When you make a routine out of what was intended to be an exception, it stops being an exception. A court order is a demand from the state that someone do things. We probably want court orders to be on the "right" side of the base rate fallacy.
Perhaps a more strict definition of Cyber Threat Intelligence would help. If the definition was narrowed to exclude private data, that would go a long way. But doesn't the US-CERT already do this? What information would the US-CERT like to share that they cannot currently share?
I think people thing US-CERT is more important than it actually is because of its history, which included a long stretch where it was the only incident response team anyone had heard of. But in reality, US-CERT does very, very little: it is a clearinghouse for heavily redacted vulnerability information that has usually been in the mainstream for a long time.
What law stops the USG from sharing malware samples and vulnerabilities? What part of CISPA changes that? I don't see anything about this when I skim through the bill.
