Like a zombie it may rise again.  But around 2 o’clock yesterday afternoon, members of the Senate confided to US News that in the way as the CISPA  House Bill was passed, “that” bill is dead.  Pieces of it may be pushed through the Senate in an effort to preserve the parts that protect our cyber-structure,  but  those pieces designed  to protect sitting politicians…  consider them tossed.

Mike Rogers (R-Mich.), CISPA’s sponsor, has been pushing for such a bill for years, and has repeatedly insisted this will be the year it becomes law. President Obama vowed to veto it if it passed in an answer given to over 100,000 signings of a White House petition… 300,000 people petitioned Congress to scrap it.

Cybersecurity lobbying has doubled in 2012 alone, outspending privacy groups by a factor of 14 to one. …$55 million to $4 million.

Essentually CISPA was supposed to help with cyber attacks.  If we were attacked by a Stuxnet virus, CISPA would drop all privacy issue restraints and allow anyone connected to security to roam through any and all accounts with impunity….

Like credit card numbers.  Like patient information.  Like pictures of you in the nude. Like your contacts and business associates. Once compromised and if anything were to happen to you, say, information was leaked to your boss, or your spouse, or put inside a newspaper for everyone to read, you could not sue, you would have no recourse and most likely, you would be completely unaware this was going on until a friend happened to see it and let you know….

The sponsor of the bill, wrongly says this is absolutely necessary to protect us from threats.  However, not being able to sue because you were fired because you boss saw a medical file showing you were being treated for cancer,  does little to protect us from Chinese hackers.

And that is the problem.  Furthermore,  so much stuff flows on the internet, that asking providers for specific data, is like asking someone to retrieve a certain molecule of water from a flowing river.  If CISPA passed, the internet would grind to a halt, as every search engine, every server, struggled to filter and organize all their data so if asked, they could legally provide.

It is a bad bill. Yet it’s sponsor keeps bringing it back. and back. and back.  Here is the Fourth Amendment to the US Constitution.  The one CISPA violates.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

This is the anti-phishing amendment.  If you don’t have any charges to press, and don’t know of any particular evidence in a person’s possession, it is illegal to go to their house when they are not there, and look around for something to pin on them….  yet that is exactly what  CISPA sponsor Mike Rogers bill will do….

It allows Senator Joesph McCarthy hearings to take place without the hearing.

But more odd is how one private company is all over Mr. Roger’s CISPA, there at its inception, its creation, its Reichstag moment, and it’s demise. That private company is the  cybersecurity consulting firm Mandiant…. who is owned and run by Kevin Mandia out of Alexandria  Virginia.  Kevin Mandia was brought in by Mark Rogers to testify as to the dangers our computer system faced.

“China’s economic espionage has reached an intolerable level,” he said at a congressional hearing in October 2011.  As head of the House Intelligence committee  he held a hearing on “Chinese hacking”  and one of those creating the report, was Kevin Mandia who was thanked by Rogers at the hearing’s end.

At the hearing, cyber security groups were in force to testify, but no privacy groups were allowed inside.  The Conversation was one way with the cyber security groups insisting they would only share anonymous information with each other…  Unfortuately that assertion could not be challenged.

But outside the closed hearing, privacy groups are saying  it would let “companies hand over large swaths” of individuals’ private information “to the government, without a warrant.”  Credit card numbers, bank papers, phone contacts….

Rogers argues that is a consequence, not an intent.  No matter the reasoning behind it, CISPA allows it to happen.  Quite possibly thousands or tens of thousands can be looking over your data because you  happen to bank at Bank of America, or shop at Caldor… or Wal*Mart…. when they came under attack….

Then last year’s version was shot down, Rogers was undeterred.

There “appears to be a new level of threat that would target networks from—I’ve got to be careful here—an unusual source,” he said. He joked about how he wanted to share what he knew but couldn’t, because it was classified.  “I look really bad in those orange jumpsuits with the numbers on the back,” he told his audience…..

Then, almost as if on cue for this spring legislative session, in February 2013. the New York Times announced it had been hit by Chinese hackers, followed shortly by the Washington Post and Wall Street Journal. Then Twitter, Facebook, and Microsoft. Their stories differed, as did the severity of the attacks, but everybody agreed: These hacks were sophisticated, and they all seemed to come from China…..

You probably remember the headline, just before the House vote on CISPA….

A cybersecurity firm had found the source of those attacks. In no uncertain terms, the firm claimed to have traced the hacking operation to a single, 12-story building outside of Shanghai: People’s Liberation Army (PLA) Unit 61398. Hiding in plain sight, the report said, was a dedicated hacking operation run by the Chinese government…..

And the firm that released it? Mandiant, whose CEO advised Rogers that day.

Mandiant’s report, backed by pages of data and years of research, relies on a few simple pieces of evidence. A loose coalition of similarly styled hacks all stem from the same source, codenamed APT1 (short for “Advanced Persistent Threat”). Mandiant traced the vast majority of the attacks to China—Shanghai, specifically—and noted that Unit 61398 was uniquely capable of sustaining such a sophisticated operation.

What was just said, was that these hack were traced to Shanghai and in Shanghai there is this building so they had to come from there…

Not so fast, says the head of another cyber-security agency. Jeff Carr, CEO of a different cybersecurity firm, Taia Global. He has a different explanation.

“Mandiant provided lots of facts about the PLA, and they provided a lot of facts about how APT1 works, I’m not disputing those.What I’m disputing is the conclusion that they drew. They created a table: In one column was characteristics of the PLA, the other was APT1, and they seemed to believe that the only possible conclusion was that the PLA is APT1. Well, that’s not the only possible conclusion.”   Those other possibilities include Russia, Israel, and France, which the U.S. has acknowledged engages in cyber-espionage. It could also include Ukraine, Taiwan, or Germany. Or “APT1 could just be a group of professional hackers that are stealing information and selling it,” Carr said. “In fact, that makes more sense to me because of the lack of operation security that’s been exhibited by these guys.”

The fact that most hackers’ Internet protocol (IP) addresses trace back to China doesn’t mean much. Those are easy to fake—heck, moderately sophisticated Internet pirates fake theirs all the time to avoid getting caught. China, indignant, countered the Mandiant report, partially on those lines.   “As we all know, hacker attacks almost always steal IP addresses. It is common practice online,” China’s Department of Defense announced after Mandiant’s report, though it also said it traced a million hacks on its own network to the U.S., via those attackers’ IP addresses.

What that says in plain language was that a million hacks came from the US into the Chinese system and then went back to the US.  A million hacks came from the US … just before CISPA was to be voted upon.    And you have this very cozy relationship with the sponsor of the CISPA bill and a cyber security firm which announced earlier that China was one day going to do massive hacks into the United States….

It worked.  It fooled Democrat John Carney.  He voted for CISPA.

“China is like the boogeyman to promote [CISPA],” cyber security specialist Carr added. “If you increase the fear around China, and then you wave CISPA, hopefully you will attract more movement to simply pass that—some blind attempt to heighten security.”

Bottom line is that CISPA would allow private companies (like Facebook, or your Internet service provider) to share your emails, text messages, or stored files with the government for “cybersecurity purposes,” and it would trump the existing laws that allow you to sue those companies for privacy violations.

All you know is that you got fired without cause and escorted out of your building…..

Sharing information is a flawed concept….   It is absolutely the wrong way to thwart an attack.  Such that it appears the main thrust of the bill is to access information, NOT thwart a cyber attack…

To thwart a cyber attack, one must take this approach….

“The solution is to assume your network is going to be breached, and you need to be able to identify what’s of value on that network, and segregate it and monitor it in real time. If somebody does gain access, and they’re accessing it from an IP address you don’t recognize or at a time of day where they shouldn’t be, you can immediately lock down that file. It’s known as data protection.    “It’s like the TSA. You tried to bring a bomb aboard in your shoe, so from now on we’ll just have everybody take off their shoes. 

But, as for now these details are all for naught ….

CISPA’s gone, one more round, CISPA’s gone…..

Advertisements