The US President’s Proposal for Cyber Security Information Sharing Legislation

Welcome! Please comment and leave me a note telling me what you like and what you'd like to see more of. Sign up to my RSS Feed!

Yesterday’s blog entry talked about the US President’s call for legislation to enable more sharing between Private industry and the Government of certain Cybersecurity events.

Today’s entry will analyze the proposal and attempt to clarify some of the language.  The original text below is taken from the Whitehouse.gov website.

 

CYBERSECURITY INFORMATION SHARING LEGISLATION

Sec. 101. Purpose.

This section states that the purpose of the legislation is to codify mechanisms for enabling cybersecurity information sharing between private and government entities, as well as among private entities, to better protect information systems and more effectively respond to cybersecurity incidents.

Comment: There are actually two different targets here:  The first, to allow Private industry to government sharing (more on this later); the second to allow sharing among Private Industry – including trade associations, competitors, and others.

 

Sec. 102. Definitions.

This section sets forth relevant definitions, including “cyber threat,” “Federal entity,” “malicious cyber command and control,” “malicious reconnaissance,” “operational control,” “technical control,” and “technical vulnerability,” among others.

The proposal defines “cyber threat indicator” as “information—

 A) that is necessary to indicate, describe or identify —

  1. malicious reconnaissance, including communications that reasonably appear to be transmitted for the purpose of gathering technical information related to a cyber threat;
  2. a method of defeating a technical or operational control;
  3. a technical vulnerability;
  4. a method of causing a user with legitimate access to an information system or information that is stored on, processed by, or transiting an information system inadvertently to enable the defeat of a technical control or an operational control;
  5. malicious cyber command and control;
  6. any combination of (1)-(5).

B) from which reasonable efforts have been made to remove information that can be used to identify specific persons reasonably believed to be unrelated to the cyber threat ”

Comment: This is the standard ‘definitions’ section that most bills nowadays must have.  However, please note the following:

  1. Included is ‘malicious reconnaissance’.  This is a term of the Art used to imply discretion as far as guessing the ‘intent’ of the network traffic.  In my experience, this could be a ‘slippery slope’, especially when used together with the word ‘government’ in the same bill.
  2. The second point, ‘defeating…a control’ is a major ‘slippery slope’.  Would people who root Android be reported?  What about people who download movies from YouTube?   I believe that this clause has to be substantially honed.
  3. Point number 4 I also find worrisome.   The word ‘inadvertently’ together with the concepts below would create a whole lot of notifications about people who ‘inadvertently’ allowed the defeat of controls, and still get reported to the US Government.  Not a good place to be.

 

More on my analysis of the Proposed Legislation tomorrow.