CISPA: Understanding H.R. 624 And How It Affects DDoS Attacks

DDoS Attacker

There’s already public outrage over CISPA, sponsored by Congressman Charles Albert “Dutch” Ruppersberger from Maryland. The media has already propped up the bill as another SOPA, or an act to restrict freedoms while adding more surveillance to the average American. However, the bill H.R,. 624 isn’t quite what it was last year, and with some heavy amendments it’s a completely restructured take on the fight against cyber terrorism.

You can read H.R. 624 on the official Congress website. It’s equally important to read every single amendment made to it on the Amendment page.

Nevertheless, there’s already outrage following articles on sites like Tech Dirt and CNET following an article on The Hill that made it known that CISPA has returned and has been passed by the House.

The revived and revised bill is designed to have a division of the Government work with cyber-security teams to specifically analyze cyber attacks and deal with the threats. Instantaneously there is a lot of misinformation floating around because, unsurprisingly enough, very few people actually read through the whole bill, much less the amendments made to it. It’s also no surprise that Gawker’s Gizmodo has a typical outrage piece that completely misses the point.

There are some good parts, some bad parts and some decent parts. The bill isn’t perfect but it’s also not Hitler.

For example, this amendment was made bright and clear for everyone to see.

On the flip side, if you’re a civilian or non-Federal individual who happens upon the information and shares it with a division of the Federal Government, it’s noted that…

“if shared with the Federal Government--[it] shall be exempt from disclosure under section 552 of title 5, United States Code (commonly known as the `Freedom of Information Act');”

What does this mean? It means that if you shared a cyber-security threat with a division of the Department of Justice or the appropriate authorities, the information will be exempt from being disclosed or made public if a civilian requests the information through the FOIA. This is not a good thing.

Additionally…

“Nothing in this subsection shall be construed to provide new authority to-- a cybersecurity provider to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes; or a self-protected entity to use a cybersecurity system to identify or obtain cyber threat information from a system or network other than a system or network owned or operated by such self-protected entity.”

This means that if a cyber-security system, company or piece of software is being used to protect or monitor other services or companies, there will be no new authority granted to the Government or Federal security agencies to oversee or interact with such services or companies. Even still, the language here is very suspect as the vague wording does leave this open for actionable interpretation.

Of course, there’s also limiting actions for search and surveillance on the Government’s end, with the bill stating…

“The Federal Government may use cyber threat information shared with the Federal Government in accordance with subsection (b)-- for cybersecurity purposes; for the investigation and prosecution of cybersecurity crimes; for the protection of individuals from the danger of death or serious bodily harm and the investigation and prosecution of crimes involving such danger of death or serious bodily harm; or for the protection of minors from child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking and the investigation and prosecution of crimes involving child pornography, any risk of sexual exploitation, and serious threats to the physical safety of minors, including kidnapping and trafficking, and any crime referred to in section 2258A(a)(2) of title 18, United States Code.”

Now there’s a section that starts to get circular and scary. Under the “Notification of non-cyber threat information”, it’s stated that…

“If a department or agency of the Federal Government receiving information pursuant to subsection (b)(1) determines that such information is not cyber threat information, such department or agency shall notify the entity or provider sharing such information pursuant to subsection (b)(1).”

Subsection (b)(1) refers to cyber-security providers who provide services or goods to “protected entities”. Essentially if an agency of the Government comes across non-cyber threat information they have to notify the cyber-security team who oversees security and data information for the company. So if your Facebook photos end up in the lap of the NSA because a cyber-security member thought it was relevant info, even though it probably wasn’t, the NSA would be required to notify the cyber-security team that it’s not relevant info. It is, in effect, a safety measure for spying.

PSN Logo

It’s also noted that the information is not to be retained unless it’s related to a cyber-security threat. This is actually better than the bill H.R. 4681, which allowed the Government or related agencies to withhold and retain information for up to five years, even if it wasn’t necessarily security-related information.

If information sharing is violated, the “actual damages sustained” by the person or individual must be handed out or the sum of $1,000 paid. As stated in the bill, it’s “whichever is greater”.

There’s also a statue of limitations for the liability of damages, so if it’s found that the information gathered by the Federal Government caused an individual some kind of harm, there’s only a two year window to make good on it.

Under subsection (f), there’s a lot of interesting clauses setup for the prevention of unauthorized data access by the Federal Government or subsidiary cyber-security institutions operated in conjunction with or under Government security agencies. Sections (1) through (4) make it known that the Government has no new information sharing or authority over private sector businesses. This means, no new authority for coercing private sectors to concede to Government spying.

As noted in the bill, companies who choose not to participate in any information sharing program will not be held liable for doing so…

“Nothing in this section shall be construed to subject a protected entity, self-protected entity, cyber security provider, or an officer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, to liability for choosing not to engage in the voluntary activities authorized under this section.”

This means that if Microsoft decides to give your information out, they do so of their own free will. Nothing in the bill dictates that companies are beholden to share your personal data if they choose not to.

In addition to this, the bill was also modified with the following amendment to make it clear as day…

“Limitation on surveillance.--Nothing in this section shall be construed to authorize the Department of Defense or the National Security Agency or any other element of the intelligence community to target a United States person for surveillance.”

So if the NSA is caught spying on people, they would be acting unlawfully. This coincides with the image of the amendment about citizens being targeted for surveillance at the top of the article.

The bill also makes it known that the Federal Government will target cyber threats that fit the following descriptions…

“...a threat to the integrity, confidentiality, or availability of a system or network or any information stored on, processed on, or transiting such a system or network; efforts to deny access to or degrade, disrupt, or destroy a system or network; or efforts to gain unauthorized access to a system or network, including to gain such unauthorized access for the purpose of exfiltrating information stored on, processed on, or transiting a system or network.”

If the above description sounds familiar, it should. Some of those fit the description of a DDoS attack.

So what does this have to do with gaming? Well, those recent PSN and Xbox Live attacks, or the recent extreme DDoS attacks on the 2chan infrastructure? Well, this could – in theory, of course – help to bring such individuals to justice. CISPA would, literally, be designated to help track down individuals who engage in such nefarious activities, with the added amendment to keep Government agencies from spying on consumers or sharing consumer data.

Furthermore, they make it known that any information that is not directly related to a cyber-security threat should not be passed along as such…

“Nothing in this Act or the amendments made by this Act shall be construed to provide authority to a department or agency of the Federal Government to require a cybersecurity provider that has contracted with the Federal Government to provide information services to provide information about cybersecurity incidents that do not pose a threat to the Federal Government's information.”

Another notable amendment makes it known that none of the information should be allowed to be shared for marketing purposes, either. Stating…

“Amendment clarifies that companies sharing cyber threat information with other companies cannot treat this sharing relationship as a loophole to sell a consumer's personal information for a marketing purpose.”

Technically, this bill, H.R., 624 is expressly designed to upgrade the Government to deal with today’s cyber-terrorist attacks. The explicit amendments to protect consumer data and user information is interesting, and the push-back from the media against this bill should be scrutinized with the same level of resolve as corrupt media outlets who have gone on the attack against #GamerGate.

(Featured image courtesy of S-Prog)

About

Billy has been rustling Jimmies for years. The GJP cried and their tears became his milkshake. Contact.

Leave a Reply

Your email address will not be published. Required fields are marked *

Skip to toolbar