I have written about cybersecurity legislation, covering the House bill called CISPA. This week it’s the Senate’s turn with the Cyber Security Act of 2012 (PDF). One thing that always jumps out at me when looking at these bills is that they get away without a problem statement and without explaining how the bill is supposed to solve the problem. When you look at the text of the bill all you get for motivation is “To enhance the security and resiliency of the cyber and communications infrastructure of the United States.” Really. That’s it! Then it goes on for a shocking 211 pages to establish all sorts of new entities and projects that will require funding and future oversight and giving new rights to private companies and the government.
Now in one of my earlier posts I pointed out that I am actually sympathetic to the idea of making it possible for companies to share and pool attack data as a way of building more effective defenses. And I am also sympathetic to the idea of collecting and publishing incidence information in a way that lets us form an opinion on how big an real the perceived threat is in the first place. All of that could in my view be accomplished with a bill that’s a few pages long at best and provides a very tight specification of what is permitted. That bill would generate the data we would need to figure out if additional legislation is required at all.
Instead despite its 211 pages, the current bill contains completely vague language. Here is just one example from Section 701:
[…] any private entity may […] operate countermeasures on its information systems to protect its rights or property from cybersecurity threats
And what exactly is the definition of a “countermeasure” you may ask? Here we go from page p. 47 of the bill:
The term ‘countermeasure’ means automated or manual actions with defensive intent to modify or block data packets […]
The definition goes on but the rest is mostly filler explaining where “packets” might be found. And what is a ”cybersecurity threat”? That’s not defined! Maybe I didn’t look in all the right places, but I am pretty sure that the entire 211 pages don’t provide a definition for a fairly central concept.
So if you put the two together it says that companies including ISPs get to decide what they think a threat is and then go ahead and inspect, change or drop your traffic. That sounds pretty much like an invitation for deep packet inspection by ISPs. At least Senator Franken thought this was overly broad and has introduced an amendment to do away with Section 701 entirely.
Separately, Senator Wyden is planning to introduce an amendment to require warrants for GPS tracking. This had been a proposal for a separate bill but Wyden is suggesting that it would be a natural fit for the cybersecurity bill. I am not sure about that but I am a big fan of requiring warrants for this kind of information.
The bottom line is I would love to see either a very limited cybersecurity bill or none at all. But if we are going go get one as bulky as the current Senate version, then we might as well take out the worst part (Franken) and add something useful (Wyden). I will call my senators (Schumer and Gillibrand) about this and you should do the same. By the way, this page will connect you!
Update: I did not notice this at the time of writing, but Senator Schumer had already announced co-sponsoring the Franken amendment on the weekend.