Senator Exploits JP Morgan Data Breach to Push Surveillance Bill


US Govt

The hackers who stole information from 76 million households and 7 million businesses aren't the only ones exploiting people in the JP Morgan Chase security breach. Politicians are, too.

Sen. Angus King (I-Maine), who sits on the Senate Intelligence Committee, issued a statement pushing for some government action:

This terrible news only further underscores the urgent need for Congress to pass comprehensive cyber security legislation. … Congress must work to pass legislation that will improve our capabilities and protect us against more attacks like these. The next Pearl Harbor will be cyber, and shame on us if we're not prepared for it. We have a bi-partisan bill teed up in the Senate and I'd like to see it move before the end of the year.

That bill is the Cybersecurity Information Sharing Act (CISA).

Earllier this year, a broad coalition of about two dozen organizations, including the National Coalition Against Censorship and the National Whistleblower Center, signed a letter to congressional leaders earlier this year explaining why this bill has little to do with cybersecurity and more to do with prosecuting whistleblowers, curtailing people's online privacy, and making government less transparent.

The Electronic Frontier Foundation notes that this is just latest iteration of unpopular "cybersecurity" bills (like CISPA and SOPA) that lawmakers have been pushing for the last four years, and points out some serious problems:

The bill authorizes companies to launch countermeasures for a "cybersecurity purpose" against a "cybersecurity threat." "Cybersecurity purpose" is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a "cybersecurity threat," which includes anything that "may result" in an unauthorized effort to impact the availability of the information system. Combined, the two definitions could be read by companies to permit attacks on machines that unwittingly contribute to network congestion. The countermeasures clause will increasingly militarize the Internet—a prospect that may appeal to some "active defense" (a.k.a. offensive) cybersecurity companies, but does not favor the everyday user.

Second, the bill adds a new authority for companies to monitor information systems to protect an entity's rights or property. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called "cyber threat indicators," freely with government agencies like the NSA.

The American Civil Liberties Union adds that CISA would esentially "circumvent the warrant requirement [of the Fourth Amendment] by allowing the government to approach companies directly to collect personal information."

[Hat tip: Techdirt, Mike Masnick]