by So, there’s a TON of stuff going around online about CISPA – the Cyber Intelligence Sharing and Protection Act. There’s a great, if long, thread on Reddit, but if you want something shorter, the EFF has a FAQ, and there’s a Myth vs Fact PDF on House.gov.
The overall purpose of this legislation is actually decent. The idea is that cybersecurity threats are more easily defensible if people share information about attacks. This is exactly the same idea as the RBL anti-spam lists that tons of people subscribe to. The problem is in the details, though.
The text of the bill isn’t actually that long, but one of the things that you’ll see on Page 9, is Section 1104b(4) is “Exemption from Liability”. Here’s the text:
1 (4) EXEMPTION FROM LIABILITY.—No civil or
2 criminal cause of action shall lie or be maintained in
3 Federal or State court against a protected entity,
4 self-protected entity, cybersecurity provider, or an
5 officer, employee, or agent of a protected entity, self-
6 protected entity, or cybersecurity provider, acting in
7 good faith—
8 (A) for using cybersecurity systems to
9 identify or obtain cyber threat information or
10 for sharing such information in accordance with
11 this section; or
12 ‘‘(B) for decisions made based on cyber
13 threat information identified, obtained, or
14 shared under this section.
So essentially, any efforts made to investigate attempted breaches are exempted from criminal or civil cases, so long as the efforts were made in good faith? Really? What kind of aggressive action does that exemption extend to? If I see attempted breaches of my web server, do I have free reign to trace the visitor back to the source and try to breach their security in return, so that I can try to determine if this is a bot attack or a concerted effort?
Under this provision, it seems like I do, and that I can’t even be taken to civil court for damages caused during my “investigation”. Does that seem right to you? It doesn’t to me, either.
CISPA has passed in the US House of Representatives. Demand Progress has a campaign to ensure it dies in the Senate. If, after reading through the bill, you also agree that this isn’t something that you want passed, then you should contact your Senator. If you aren’t in the United States, this law still affects you, since you can’t bring a lawsuit in the US against any entity that hacks you back…you know, in “good faith”. The EFF has a page for non-US folks where you can sign a petition.
I’m not telling you what to think. I’m only telling you what I think. And I think this sucks.
This blog post originally appeared on Standalone SysAdmin.