Computer networks in the United States are under attack by sophisticated, state sponsored attackers. These attackers are spying on our strategic plans and stealing our technology. They do not only target government systems and networks, but private organizations as well. It is a very serious problem that could have long term strategic implications for our national security.

Traditional computer security controls have a hard time keeping up with these attackers, as they have developed attack techniques that evade those controls - they know about security vulnerabilities that are unpatched, for example. The U.S. Government has information about these threats that it uses to protect federal systems and networks. Private organizations are also targeted, and could benefit from having access to this information. The information consists of signatures for intrusion prevention systems, which look on the wire for indicators of attack.

The basic purpose of CISPA is to allow the federal government to share classified intrusion prevention signature information with people who work for private organizations and have government security clearances. I do not know why a new law is necessary in order to allow for this, but the fact is that this kind of information sharing may be important for protecting our computer systems and networks. CISPA also allows those private organizations to share information back to the government. That, I think, it where the trouble lies.

When this law was first proposed, civil liberties groups equated it with SOPA. SOPA had to do with creating a blacklist of foreign web sites that Americans are not allowed to view. CISPA has to do with protecting computer networks from attack. These are completely different motives, and conflating the two in order to rally the general public against CISPA seemed to me to be manipulative at best.

The reason that civil liberties groups are concerned about CISPA is language stating that this information sharing is authorized notwithstanding any other law - meaning the government could use these intrusion prevention systems to look for anything that could be rationalized to fit within CISPA's definition of cyber security threats, without a warrant.

One reason, I suspect, for the "notwithstanding" language is that intrusion prevention systems are prone to false positives. Organizations that receive these classified signatures aren't likely to know exactly what the signatures are REALLY supposed to be looking for. Classified information sharing has a tendency to be minimalistic. When one of these signatures fires, the organization running the signature will probably have little choice but to take a packet capture of the network session it fired on and hand that capture over the government. The government would have to examine that capture and determine whether or not this was really an attack or just... [ Read More (0.6k in body) ]