Posts

The Administration Statement on CISA

/2 Comments/in /by

I wanted to analyze the Administration’s statement on the Cyber Intelligence Sharing Act, which I’ve reproduced in its entirety below. Opponents of the bill feel the statement betrays Obama’s stated (though usually not performed) commitment to civil liberties. And they point to the statement’s criticism of defensive measures (see the fifth paragraph below) as one reason the President should oppose this bill but isn’t.

Of course, that misconstrues the purpose of such statements, which is to influence the shape of bills as the sausage gets made. As such, this statement commends Richard Burr for concessions he has made, while pointing to the areas where the Administration will push for improvement.

In addition to the defensive measures provision, the chief area the White House is pushing for improvements is on the area where CISA is most vulnerable: on the centrality of DHS to the process.

As such, the Administration supports Senate passage of S. 754, while continuing to work with the Congress as S.754 moves through the legislative process to ensure further important changes are made to the bill, including, but not limited to, preserving the leadership of civilian agencies in domestic cybersecurity.

[snip]

Focusing real-time sharing through one center at DHS enhances situational awareness, facilitates robust privacy controls, and helps to ensure oversight of such sharing. In addition, centralizing this sharing mechanism through DHS will facilitate more effective real-time sharing with other agencies in the most efficient manner.

Therefore, in order to ensure a focused approach and to facilitate streamlined information sharing while ensuring robust privacy protections, the Administration will strongly oppose any amendments that would provide additional liability-protected sharing channels, including expanding any exceptions to the DHS portal. In addition, the Administration remains concerned that the bill’s authorization to share with any Federal entity, notwithstanding any other provision of law, weakens the bill’s requirement that information be shared with a civilian entity.

Basically, the Administration is still trying to stave off a Tom Cotton effort to let entities share directly with the FBI. Cotton’s amendment is bad — but it mostly just exposes the reality of the bill for what it really is.

Moreover, the White House is nuts if they think the current structure will reflect meaningful involvement from DHS. As I noted the other day — and DailyDot reconfirmed today — other agencies (like the FBI) can veto any meaningful involvement from DHS.

So I’m not really surprised by the content of this statement, and the Administration’s signals they want to push defensive measures and DHS involvement in a particular direction. I am concerned about their apparent analysis of the state of the bill.

An important building block for improving the Nation’s cybersecurity is ensuring that private entities can collaborate to share timely cyber threat information with each other and the Federal Government. In January, the President submitted a legislative proposal to the Congress with the goal of, among other things, facilitating greater information sharing amongst the private sector and with the Federal Government. The Administration’s proposal provides a focused approach to incentivize more cybersecurity information sharing while ensuring the protection of privacy, confidentiality, and civil liberties. As the Administration has previously stated, information sharing legislation must carefully safeguard privacy, confidentiality, and civil liberties, preserve the long-standing respective roles and missions of civilian and intelligence agencies, and provide for appropriate sharing with targeted liability protections. The Administration is encouraged by the strong bipartisan support for cybersecurity information sharing legislation in the Congress.

The Administration appreciates that the Senate Select Committee on Intelligence adopted several amendments to S. 754 to address some of the Administration’s most significant concerns and is further encouraged that the bill’s sponsor has proposed additional changes on the Senate floor. This work has strengthened the legislation and incorporated important modifications to better protect privacy. As such, the Administration supports Senate passage of S. 754, while continuing to work with the Congress as S.754 moves through the legislative process to ensure further important changes are made to the bill, including, but not limited to, preserving the leadership of civilian agencies in domestic cybersecurity.

The Administration supports S. 754’s requirement that an entity sharing information with the Federal Government must share that information through the Department of Homeland Security (DHS) in order to receive liability protections. Moreover, S. 754 requires that such sharing be governed by privacy protection guidelines and that DHS must further disseminate such information in real-time with other Federal agencies. The Administration supports real-time sharing amongst Federal agencies with appropriate privacy protections, and is currently developing such a capability at DHS. Focusing real-time sharing through one center at DHS enhances situational awareness, facilitates robust privacy controls, and helps to ensure oversight of such sharing. In addition, centralizing this sharing mechanism through DHS will facilitate more effective real-time sharing with other agencies in the most efficient manner.

Therefore, in order to ensure a focused approach and to facilitate streamlined information sharing while ensuring robust privacy protections, the Administration will strongly oppose any amendments that would provide additional liability-protected sharing channels, including expanding any exceptions to the DHS portal. In addition, the Administration remains concerned that the bill’s authorization to share with any Federal entity, notwithstanding any other provision of law, weakens the bill’s requirement that information be shared with a civilian entity. This remains a significant concern, and the Administration is eager to work with the Congress to seek a workable solution.

S. 754 authorizes the use of certain potentially disruptive defensive measures in response to network incidents, provisions that were not included in the Administration’s proposal. The use of defensive measures raises significant legal, policy, and diplomatic concerns and, without appropriate safeguards, can have a direct deleterious impact on foreign policy, the integrity of information systems, and cybersecurity. The Administration is encouraged, however, that the bill’s sponsor has proposed changes that would limit an entity from employing a defensive measure that would provide it unauthorized access to another entity’s network. Though the Administration remains concerned that the bill’s authorization to operate defensive measures may prevent the application of other laws such as State common-law tort remedies, it is encouraged that the additional changes will help to appropriately constrain the use of defensive measures. The Administration is committed to continue working with stakeholders to address remaining concerns.

The Administration commends the Committee for recognizing that cybersecurity requires a whole-of-government approach and that information must be appropriately shared within the Federal Government. This sharing must be consistent with certain narrow cybersecurity use restrictions, as well as privacy, confidentiality, and civil liberties protections and transparent oversight. The Administration commends the Committee for requiring that intra-governmental sharing be governed by a set of policies and procedures developed by the Federal Government to protect privacy and civil liberties. The Administration is encouraged that the bill’s sponsor has proposed changes that would preserve the Federal Government’s ability to implement privacy protective policies and procedures. The Administration is encouraged by changes the bill’s sponsor has proposed to ensure that information sharing provided for in the bill is narrowly focused on the important purpose of this bill, the protection of information systems and information from cybersecurity threats and security vulnerabilities. Finally, the Administration is pleased that S.754 includes provisions that will improve the cybersecurity of Federal networks and systems. Consistent with the bill’s requirements, the Administration will implement this authority in a manner that both enhances cybersecurity and continues to protect the confidentiality, availability, and integrity of Federal agencies’ data.

Information sharing is one piece of a larger suite of legislation needed to provide the private sector, the Federal Government, and law enforcement with the necessary tools to combat cyber threats, and create for consumers and businesses a strong and consistent notification standard for breaches of personal data. In addition to updating information sharing statutes, the Congress should incorporate privacy, confidentiality protection, and civil liberties safeguards into all aspects of cybersecurity legislation.

The Pro-Scrub Language Added to CISA Is Designed to Eliminate DHS’ Scrub

/3 Comments/in /by

I’ve been comparing the Manager’s Amendment (MA) Richard Burr and Dianne Feinstein introduced Wednesday with the old bill.

A key change — one Burr and Feinstein have highlighted in their comments on the floor — is the integration of DHS even more centrally in the process of the data intake process. Just as one example, the MA adds the Secretary of Homeland Security to the process of setting up the procedures about information sharing.

Not later than 60 days after the date of the enactment of this Act, the Attorney General and the Secretary of Homeland Security shall, in coordination with the heads of the appropriate Federal entities, develop and submit to Congress interim policies and procedures relating to the receipt of cyber threat indicators and defensive measures by the Federal Government. [my emphasis]

That change is applied throughout.

But there’s one area where adding more DHS involvement appears to be just a show: where it permits DHS conduct a scrub of the data on intake (as Feinstein described, this was an attempt to integrate Tom Carper’s and Chris Coons’ amendments doing just that).

This is also an issue DHS raised in response to Al Franken’s concerns about how CISA would affect their current intake procedure.

To require sharing in “real time” and “not subject to any delay [or] modification” raises concerns relating to operational analysis and privacy.

First, it is important for the NCCIC to be able to apply a privacy scrub to incoming data, to ensure that personally identifiable information unrelated to a cyber threat has not been included. If DHS distributes information that is not scrubbed for privacy concerns, DHS would fail to mitigate and in fact would contribute to the compromise of personally identifiable information by spreading it further. While DHS aims to conduct a privacy scrub quickly so that data can be shared in close to real time, the language as currently written would complicate efforts to do so. DHS needs to apply business rules, workflows and data labeling (potentially masking data depending on the receiver) to avoid this problem.

Second, customers may receive more information than they are capable of handling, and are likely to receive large amounts of unnecessary information. If there is no layer of screening for accuracy, DHS’ customers may receive large amounts of information with dubious value, and may not have the capability to meaningfully digest that information.

While the current Cybersecurity Information Sharing Act recognizes the need for policies and procedures governing automatic information sharing, those policies and procedures would not effectively mitigate these issues if the requirement to share “not subject to any delay [or] modification” remains.

To ensure automated information sharing works in practice, DHS recommends requiring cyber threat information received by DHS to be provided to other federal agencies in “as close to real time as practicable” and “in accordance with applicable policies and procedures.”

Effectively, DHS explained that if it was required to share data in real time, it would be unable to scrub out unnecessary and potentially burdensome data, and suggested that the “real time” requirement be changed to “as close to real time as practicable.”

But compare DHS’s concerns with the actual language added to the description of the information-sharing portal (the new language is in italics).

(3) REQUIREMENTS CONCERNING POLICIES AND PROCEDURES.—Consistent with the guidelines required by subsection (b), the policies and procedures developed and promulgated under this subsection shall—

(A) ensure that cyber threat indicators shared with the Federal Government by any entity pursuant to section 104(c) through the real-time process described in subsection (c) of this section—

(i) are shared in an automated manner with all of the appropriate Federal entities;

(ii) are only subject to a delay, modification, or other action due to controls established for such real-time process that could impede real-time receipt by all of the appropriate Federal entities when the delay, modification, or other action is due to controls—

(I) agreed upon unanimously by all of the heads of the appropriate Federal entities;

(II) carried out before any of the appropriate Federal entities retains or uses the cyber threat indicators or defensive measures; and

(III) uniformly applied such that each of the appropriate Federal entities is subject to the same delay, modification, or other action; and

This section permits one of the “appropriate Federal agencies” to veto such a scrub. Presumably, the language only exists in the bill because one of the “appropriate Federal agencies” has already vetoed the scrub. NSA (in the guise of “appropriate Federal agency” DOD) would be the one that would scare people, but such a veto would equally as likely to come from FBI (in the guise of “appropriate Federal agency” DOJ), and given Tom Cotton’s efforts to send this data even more quickly to FBI, that’s probably who vetoed it.

If you had any doubts the Intelligence Community is ordering up what it wants in this bill, the language permitting them a veto on privacy protections should alleviate you of those doubts.

On top of NSA and FBI’s veto authority, there’s an intentional logical problem here. DHS is one of the “appropriate Federal agencies,” but DHS is the entity that would presumably do the scrub. Yet if it can’t retain data before any other agency, it’s not clear how it could do a scrub.

In short, this seems designed to lead people to believe there might be a scrub (or rather, that under CISA, DHS would continue to do the privacy scrub they are currently doing, though they are just beginning to do it automatically) when, for several reasons, that also seems to be ruled out by the bill. And ruled out because one “appropriate Federal agency” (like I said, I suspect FBI) plans to veto such a plan.

So it has taken this Manager’s Amendment to explain why we need CISA: to make sure that DHS doesn’t do the privacy scrubs it is currently doing.

I’ll explain in a follow-up post why it would be so important to eliminate DHS’ current scrub on incoming data.

CISA Moves: A Summary

/13 Comments/in /by

This afternoon, Aaron Richard Burr moved the Cyber Intelligence Sharing Act forward by introducing a manager’s amendment that has limited privacy tweaks (permitting a scrub at DHS and limiting the use of CISA information to cyber crimes that nevertheless include to prevent threat to property), with a bunch of bigger privacy fix amendments, plus a Tom Cotton one and a horrible Sheldon Whitehouse one called as non-germane amendments requiring 60 votes.

Other than that, Burr, Dianne Feinstein, and Ron Wyden spoke on the bill.

Burr did some significant goalpost moving. Whereas in the past, he had suggested that CISA might have prevented the Office of Public Management hack, today he suggested CISA would limit how much data got stolen in a series of hacks. His claim is still false (in almost all the hacks he discussed, the attack vector was already known, but knowing it did nothing to prevent the continued hack).

Burr also likened this bill to a neighborhood watch, where everyone in the neighborhood looks out for the entire neighborhood. He neglected to mention that that neighborhood watch would also include that nosy granny type who reports every brown person in the neighborhood, and features self-defense just like George Zimmerman’s neighborhood watch concept does. Worse, Burr suggested that those not participating in his neighborhood watch were had no protection, effectively suggesting that some of the best companies on securing themselves — like Google — were not protecting customers. Burr even suggested he didn’t know anything about the companies that oppose the bill, which is funny, because Twitter opposes the bill, and Burr has a Twitter account.

Feinstein was worse. She mentioned the OPM hack and then really suggested that a series of other hacks — including both the Sony hack and the DDOS attacks on online banking sites that stole no data! — were worse than the OPM hack.

Yes, the Vice Chair of SSCI really did say that the OPM hack was less serious than a bunch of other other hacks that didn’t affect the national security of this country. Which, if I were one of the 21 million people whose security clearance data had been compromised, would make me very very furious.

DiFi also used language that made it clear she doesn’t really understand how the information sharing portal works. She said something like, “Once cyber information enters the portal it will move at machine speed to other federal agencies,” as if a conveyor belt will carry information from DHS to FBI.

Wyden mostly pointed out that this bill doesn’t protect privacy. But he did call out Burr on his goalpost moving on whether the bill would prevent (his old claim) or just limit the damage 0f (his new one) attacks that it wouldn’t affect at all.

Wyden did, however, object to unanimous consent because Whitehouse’s crappy amendment was being given a vote, which led Burr to complain that Wyden wasn’t going to hold this up.

Finally, Burr came back on the floor, not only to bad mouth companies that oppose this bill again (and insist it was voluntary so they shouldn’t care) but also to do what I thought even he wouldn’t do: suggest we need to pass CISA because a 13 year old stoner hacked the CIA Director.

Better Put Tom Cotton and His 46 Co-Conspirators on the No-Fly List

/14 Comments/in , /by

Screen Shot 2015-03-09 at 2.46.18 PMAs Josh Rogin first reported, Tom Cotton and 46 other Senators have written a letter to the “leaders of the Islamic Republic of Iran.” They want to warn them that without Senate ratification, the agreement they’re working to sign with President Obama will just be an executive agreement that a future President could just revoke with the stroke of a pen.

Now, much as I’d like the Executive to be reined in in other areas, foreign affairs is the area where they’re supposed to act like an Executive. That was the whole point of moving from a confederation to a federation. So this intervention is improper in that sense, on top of serving the purported interests of Israeli right-wingers more than serving American interests.

The entire production ought to focus more attention on something I’ve been trying to get people to look at: the fundraiser held directly after Congress willingly acted like Bibi Netanyahu’s trained seal, also reported by Josh Rogin. Did Sheldon Adelson pay off all of  Bibi’s trained seals? On what scale?

Plus, Jack Goldsmith catches the Senators in an error about what the Constitution actually says (Tom Cotton as a JD from Harvard Law School, where Goldsmith teaches).

The letter states that “the Senate must ratify [a treaty] by a two-thirds vote.”  But as the Senate’s own web page makes clear: “The Senate does not ratify treaties. Instead, the Senate takes up a resolution of ratification, by which the Senate formally gives its advice and consent, empowering the president to proceed with ratification” (my emphasis).  Or, as this outstanding  2001 CRS Report on the Senate’s role in treaty-making states (at 117):  “It is the President who negotiates and ultimately ratifies treaties for the United States, but only if the Senate in the intervening period gives its advice and consent.”  Ratification is the formal act of the nation’s consent to be bound by the treaty on the international plane.  Senate consent is a necessary but not sufficient condition of treaty ratification for the United States.  As the CRS Report notes: “When a treaty to which the Senate has advised and consented … is returned to the President,” he may “simply decide not to ratify the treaty.”

This is a technical point that does not detract from the letter’s message that any administration deal with Iran might not last beyond this presidency.  (I analyzed this point here last year.)  But in a letter purporting to teach a constitutional lesson, the error is embarrassing.

Me, I’ve got another concern for these poor Senators.

Iran’s leaders are, according to the Senators’ own claims, evil terrorist-supporting murderers. Indeed, our own government considers them as such, not only imposing sanctions but — according to Dianne Feinstein and Keith Alexander — also treating Iran as one of the few “terrorist groups” association with which the NSA can use to contact chain on its dragnets of American communications.

In short, the government believes that anyone conducting communications with such people are terrorist suspects themselves, and should be dumped into a big database to have all their collected metadata analyzed for further signs of terrorism.

Tom Cotton and his 46 collaborators are now just 1-degree of separation from what they consider some badass terrorists. We’ve seen people be put on the No-Fly list for far less.

I don’t think that’s right, mind you. There’s a problem with metadata analysis.

That’s a problem the Senators might do better looking to correct, rather than working to keep the Middle East unstable for Israel’s interests.

Update: As the screen capture above makes clear, Tom Cotton has now placed himself at one degree of separation from the terrorist sponsor Ayatollah Khamenei via dead tree and Twitter.

Amash-Conyers Fails 205-217

/25 Comments/in , /by

In one of the closest votes in a long time for civil liberties, the Amash-Conyers amendment just failed, but only barely, by a vote of 205-217.

The debate was lively, with Mike Rogers, Michele Bachmann, and Iraq verteran Tom Cotton spoke against the amendment; Amash closely managed time to include a broad mix of Democrats and Republicans.

The only nasty point of the debate came when Mike Rogers (R-MI) suggested Justin Amash (R-MI) was leading this charge for Facebook likes.

Update: Here’s the roll call.