There are no amendments to CISA that I can find (CISPA collected quite a few amendments, some of which were very relevant to HN, before the bill eventually died).
I read CISA so you don't have to! (You still should). Here's a summary:
There are three particularly important defined concepts:
<<Sec. 2 (5) (A) "Threats">>, which means "unauthorized activity" that might plausibly compromise confidentiality, integrity, or availability, but that isn't either protected speech or a mere ToS violation.
<<Sec 2 (6) "Indicators">>, the most important concept in the bill, which is, roughly: logs of recon activity, exploit techniques, vulnerability data, account hijack techniques (I think this bill actually tries to capture the notion of an XSS), bot C&Cs, damage reports on attacks, and anything else related to security and not already prohibited by law.
<<Sec 2 (7) "Defensive measures">>, roughly, things that stop or monitor attacks.
"Defensive measures" is a confusing concept in the bill. For awhile, it was thought that CISA would authorize something akin to hack-back privilege for private entities; it does not. Meanwhile, defensive measures are probably already lawfully shareable. Anyways, the bill allows you to share both indicators and defenses.
The bill allows the USG to share indicators and defensive measures with private entities, and vice versa.
So then:
Section 3 of the bill authorizes the USG to share stuff with private entities. This isn't the part of the bill that concerns people (we all probably want more sharing from USG to private entities; for instance, that's what we're saying every time we demand NSA fork over its zero-days).
Section 4 authorizes private entities to share with the USG. Here's what it allows:
(a) You can monitor your own systems, or those of people who give you written authorization, for any security purpose, notwithstanding any previous limitation on monitoring. Even if ECPA or student records law says you shouldn't monitor, if you're doing it to deal with security threats, you're now allowed to.
(b) You can run your own defensive measures, or defensive measures on people who give you written authorization. Ok then.
(c) You can share indicators and defenses with the USG, and receive them from the USG so long as you comply with their sharing restrictions.
(d) You have to keep the data secure, you can't share it willy-nilly, and before you share anything, you have to (1) review it for PII and (2) anonymize any PII you find.
Sec 4 (d) (4) has problematic language that allows, say, Facebook to provide written authorization to the USG to prosecute based on shared indicators; in theory, they can do this even if the prosecution they're going to launch isn't related to a computer crime, but just happens to be illuminated by the indicator Facebook shared. (But remember: Facebook can't share under CISA unless they have a bona fide cybersecurity purpose for doing so).
Section 5 has a bunch of rulemaking authority in it, but buried in it is Sec 5 (d) (5) (a), which gives all the purposes FedGov is allowed to use indicators for:
* any security purpose
* attributing threats
* determining whether threats are foreign
* preventing immediate disaster/harm (iv)
* stopping child sex trafficking (v)
* stopping major felonies, espionage, trade secret theft (vi)
(iv), (v), and (vi) are major problems; these aren't cybersecurity purposes at all, but rather a sort of "these crimes are so bad that we're allowed to repurpose indicators to deal with them", which, maybe fair enough (except for trade secret theft), but still, not OK that new investigative capabilities are buried in the middle of a cybersecurity bill.
I could be missing a further limitation, but doesn't Section 4(a) de facto amount to a repeal of all other laws that limit monitoring? Yes, the exception is limited to monitoring for a "security purpose", but a pretty broad range of things can be justified as a "security purpose". I'm also skeptical that courts will seriously second-guess companies' representations on that point.
Yep, I called that section out for that reason. I'm not particularly worried about it (I think this part of CISA mostly just clarifies something that was already pretty much settled).
Companies aren't allowed to just make up "security purpose", though; under CISA, they have to be monitoring for threats as construed in CISA, which means, for instance, they can't find exemption for liability for monitoring for mere ToS violations.
Couldn't one collect logs of all things, under the auspices of collecting logs that (may) contain "recon activity" and "exploits"? It seems on a surface reading that one could collect all those under the umbrella of collecting Indicators, and then also use it also for things like selling-to-advertisers or other business-related things.
Of course, our terms of use on most sites already say they can collect + monetize such things, so maybe this is moot.
I'm not sure I see the part of CISA that allows you to sell your logs to advertisers. I do see lots of places in the bill that allow sharing to other private entities or to the USG for cybersecurity purposes.
https://www.govtrack.us/congress/bills/114/s754/text
There are no amendments to CISA that I can find (CISPA collected quite a few amendments, some of which were very relevant to HN, before the bill eventually died).
I read CISA so you don't have to! (You still should). Here's a summary:
There are three particularly important defined concepts:
<<Sec. 2 (5) (A) "Threats">>, which means "unauthorized activity" that might plausibly compromise confidentiality, integrity, or availability, but that isn't either protected speech or a mere ToS violation.
<<Sec 2 (6) "Indicators">>, the most important concept in the bill, which is, roughly: logs of recon activity, exploit techniques, vulnerability data, account hijack techniques (I think this bill actually tries to capture the notion of an XSS), bot C&Cs, damage reports on attacks, and anything else related to security and not already prohibited by law.
<<Sec 2 (7) "Defensive measures">>, roughly, things that stop or monitor attacks.
"Defensive measures" is a confusing concept in the bill. For awhile, it was thought that CISA would authorize something akin to hack-back privilege for private entities; it does not. Meanwhile, defensive measures are probably already lawfully shareable. Anyways, the bill allows you to share both indicators and defenses.
The bill allows the USG to share indicators and defensive measures with private entities, and vice versa.
So then:
Section 3 of the bill authorizes the USG to share stuff with private entities. This isn't the part of the bill that concerns people (we all probably want more sharing from USG to private entities; for instance, that's what we're saying every time we demand NSA fork over its zero-days).
Section 4 authorizes private entities to share with the USG. Here's what it allows:
(a) You can monitor your own systems, or those of people who give you written authorization, for any security purpose, notwithstanding any previous limitation on monitoring. Even if ECPA or student records law says you shouldn't monitor, if you're doing it to deal with security threats, you're now allowed to.
(b) You can run your own defensive measures, or defensive measures on people who give you written authorization. Ok then.
(c) You can share indicators and defenses with the USG, and receive them from the USG so long as you comply with their sharing restrictions.
(d) You have to keep the data secure, you can't share it willy-nilly, and before you share anything, you have to (1) review it for PII and (2) anonymize any PII you find.
Sec 4 (d) (4) has problematic language that allows, say, Facebook to provide written authorization to the USG to prosecute based on shared indicators; in theory, they can do this even if the prosecution they're going to launch isn't related to a computer crime, but just happens to be illuminated by the indicator Facebook shared. (But remember: Facebook can't share under CISA unless they have a bona fide cybersecurity purpose for doing so).
Section 5 has a bunch of rulemaking authority in it, but buried in it is Sec 5 (d) (5) (a), which gives all the purposes FedGov is allowed to use indicators for:
* any security purpose * attributing threats * determining whether threats are foreign * preventing immediate disaster/harm (iv) * stopping child sex trafficking (v) * stopping major felonies, espionage, trade secret theft (vi)
(iv), (v), and (vi) are major problems; these aren't cybersecurity purposes at all, but rather a sort of "these crimes are so bad that we're allowed to repurpose indicators to deal with them", which, maybe fair enough (except for trade secret theft), but still, not OK that new investigative capabilities are buried in the middle of a cybersecurity bill.
And that's it.