Saturday, April 28, 2012

#CISPA: opt-in is not optional

One of the myths of CISPA (cybersecurity law) is that organizations do not have to share data with the government, that it's voluntary. The reality is that the government has lots of ways to pressure individuals/companies into volunteering.

In 2007, the FBI showed up at my office because of a speech I was to give two days later at BlackHat (the most important cybersecurity conference). They wanted me to cancel my talk because it was a threat to national security. This was crap: it was a threat to TippingPoint (I demonstrated how reverse engineering their signatures could disclose 0day vuln info). After trying to bribe me and threaten me to cancel my talk, TippingPoint got the FBI to do their dirty work.

It was a surreal experience. On one hand, the FBI kept repeating that they couldn't tell me to cancel my BlackHat talk, because we live in a free country with the First Amendment. On the other hand, they made it clear that if I did not "do the right thing" they would taint my FBI file so that I could never pass a background check, and could never work for the government again.

The FBI does the same thing when investigating cybercrime. If an organization doesn't voluntarily share with them the data on their servers, they get a broad warrant to come in and grab all computer equipment, regardless if it's related to the crime they are investigating or not.

Even if a site thinks there is only a 10% chance might obtain a warrant, it still has to comply, because that's a 10% chance they could kill the business.

The government is incompetent at cybersecurity. They are less able to secure their own systems than the private sector. Sharing private information with the government isn't going to change this -- this bill just provides a conduit for the government to get more information about its citizens that other laws (and the Bill of Rights) currently block.

Update: Some have questioned the relevance of this story to CISPA. The point is that they can intimidate you into volunteering. I'm an individual who stood up to the FBI on principle, but businesses won't. Almost all will opt-in to the CISPA data, because the government will make them an offer they can't refuse.
Update: Here is an example where the FBI first came and asked nicely for data, and when stimied, came back later and confiscated the servers: http://www.infosecisland.com/blogview/21186-FBI-Overreaches-with-May-First-Riseup-Server-Seizure.html.
Update: The Economist agrees that government will coerce companies into sharing data.

1 comment:

Anonymous said...

Perhaps security engineers should just make sure they're out of town for some amount of time before blackhat.