Saturday, 2 June 2012

CISPA: A Sporked Bill

To provide for the sharing of certain cyber threat intelligence and cyber threat information between the cyber intelligence community and cybersecurity entities, and for other cyber purposes, including the overuse of the word "cyber."


Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,


SECTION 1. SHORT TITLE.


This Act may be cited as the ‘‘Cyber IntelligenceSharing and Protection Act of 2011’’.


 


It may also be cited as “Copyright Is Still Paramount, Agreed?”


SEC. 2. CYBER THREAT INTELLIGENCE AND INFORMATION SHARING TO BENEFIT THE IP MAXIMALISTS, though we're pretending it's about enemy spies. We'll work it in somehow, you'll see.


(a) IN GENERAL.—Title XI of the National InSecurity Act of 1947 (50 U.S.C. 442 et seq.) is amended by adding at the end the following new section:


‘‘CYBER THREAT INTELLIGENCE AND INFORMATION SHARING


‘‘SEC. 1104. (a) INTELLIGENCE COMMUNITY SHARING OF CYBER THREAT INTELLIGENCE (or lack thereof) WITH PRIVATE SECTOR Parasites.—


‘‘(1) IN GENERAL.—The Director of NationalIntelligence shall establish procedures to allow elements of the intelligence community to share cyberthreat intelligence with private-sector entities and to encourage the sharing of such intelligence because they'll continue to be prats about it until we introduce legislation that forces them to play nicely with each other.


‘‘(2) SHARING AND USE OF CLASSIFIED INTELLIGENCE authorised by the IP holders. Intelligence from other sources such as public interest groups doesn't count.—The procedures established under paragraph (1) shall provide that classified cyber threatintelligence may only be—


‘‘(A) shared by an element of the intelligence community with—


‘‘(i) certified entities; or


‘‘(ii) a person with an appropriate security clearance to receive such cyberthreat intelligence; and definitely not with Anonymous or Lulzsec.


‘‘(B) shared consistent with the need to protect the national security of the United States from genuine threats, not imaginary ones; and


‘‘(C) used by a certified lunatic entity in a manner which protects such cyber threat intelligence from unauthorized disclosure or being targeted for hacking.


‘‘(3) SECURITY CLEARANCE SALE APPROVALS.—The Director of National Intelligence shall issue guidelines and chatup lines, if you need them, providing that the head, shoulders, knees and toes of an element of the intelligence community may, as the head of such element considers necessary to carry out this subsection—


‘‘(A) grant a security clearance on a temporary or permanent basis to an employee or officer of a certified entity because they can't do it without someone else holding their hands;


‘‘(B) grant a security clearance on a temporary or permanent basis to a certified entity and approval to use appropriate facilities such as the Aston Martin DB5 and the pen that squirts poison gas; and


‘‘(C) expedite the security clearance process for a person or entity,considering that corporations are now people, as the head of such element considers necessary, consistent with the need to protect the national security of the United States and the most generous campaign fund donors' incomes.


‘‘(4) NO RIGHT OR BENEFIT.—The provision of information to a private-sector entity under this sub-section shall not create a right or benefit to similar information by such entity or any other private-sector entity so they'll have to do their own data-mining for commercial purposes.


‘‘(b) PRIVATE SECTOR USE Not ABUSE OF CYBERSECURITY SYSTEMS AND SHARING OF CYBER THREAT INFORMATION.—


‘‘(1) IN GENERAL.—


‘‘(A) CYBERSECURITY PROVIDERS.—Notwithstanding any other provision of law, except those ones we're not paying attention to, a cybersecurity provider, with the express consent of a protected entity for which such cybersecurity provider is providing goods or services for cybersecurity purposes, may, for cybersecurity purposes—


‘‘(i) use cybersecurity systems, you know, anti-spyware and keeping an eye on relevant websites to see if any hacking or DDoS attacks are being planned, to identify and obtain cyber threat information to protect the rights and property of such protected entity, otherwise known as doing what they're paid to do; and


‘‘(ii) share such cyber threat information with any other entity designated bysuch protected entity, including, if specifically designated, the Federal Government because they're making us pay for it, the toe-rags!


‘‘(B) SELF-PROTECTED ENTITIES.—Notwithstanding any other provision of law, apart from the ones we're ignoring,self-protected entity may, or may not, depending on what mood they're in, for cybersecurity purposes—


‘‘(i) use cybersecurity systems, not pictures of lolcats, to identify and obtain cyber threat information to protect the rights and property of such self-protected entity; and


‘‘(ii) share such cyber threat information with any other entity, including the Federal Government so we can laugh at the website defacement screenshots if you get owned.


‘‘(2) USE AND PROTECTION OF INFORMATION.—Cyber threat information shared in accordance with paragraph (1)—


‘‘(A) shall only be shared in accordance with any restrictions placed on the sharing of such information by the protected entity or self-protected entity authorizing such sharing so Facebook's millions of users don't quit on them, including, if requested, appropriate anonymization or minimization of such information to keep the SOPA meltdown from happening again;


‘‘(B) may not be used by an entity to gain an unfair competitive advantage to the detriment of the protected entity or the self-protected entity authorizing the sharing of information. We had to put that in because they'll totally do that if we let them; and


‘‘(C) if shared with the Federal Government—


‘‘(i) shall be exempt from disclosure under section 552 of title 5, United States Code because there's no sodding way we're gonna be accountable to the public;


‘‘(ii) shall be considered proprietary information that can be sold on for a license fee payable to the MPAA, RIAA, and other IP revenue collections agencies and shall not be disclosed to an entity outside of the Federal Government except as authorized by the entity sharing such information and appropriately licensed; and


‘‘(iii) shall not be used by the Federal Government for regulatory purposes because we want campaign $$ from these guys. That's what all this is in aid of.


(iv) No cause of action shall lie or sit or stand in any court against a covered entity that uses a cybersecurity system or shares cyber threat information or contributes to the CIA cookie fund in accordance with this section for the use of such cybersecurity system, the sharing of cyber threat information, or decisions made based on cyber threat information identified, obtained, fabricated by the FBI, or shared under this section, unless such covered entity engages in willful misconduct in the sharing of such information and such willful misconduct proxiniately causes injury. Good luck with proving that in court.


(B) Proof of Willful Misconduct.—


In an action against a covered entity alleging willful misconduct in the sharing of cyber threat information, the plaintiff shall have the burden of proving by clear and convincing evidence the willful misconduct by such covered entity and that such willful misconduct proximately caused injury. We will determine what “clear and convincing evidence” is, and if it is particularly damning, we'll have it marked as classified.


‘‘(3) EXEMPTION FROM LIABILITY.—No civil orcriminal cause of action shall lie or be maintained in Federal or State court against a protected entity because that's what “protected” means,self-protected entity, cybersecurity provider, or anofficer, employee, or agent of a protected entity, self-protected entity, or cybersecurity provider, or any campaign fund contributor, acting in good faith or at least pretending to. It's not like they'd ever admit to acting in bad faith, is it?


‘‘(A) for using cybersecurity systems or sharing information in accordance with this section because using anti-spyware programs and warning of imminent hacking or DDoS attacks is legitimate; or


‘‘(B) for not acting on information obtained or shared in accordance with this section even if it means Yahoo gets completely destroyed by LulzSec and stop suing Facebook over those patents it's allegedly infringing on.


‘‘(4) RELATIONSHIP TO OTHER LAWS REQUIRING THE DISCLOSURE OF INFORMATION.—The submission of information under this subsection to the


Federal Government shall not satisfy or affect anyrequirement under any other provision of law for a person or entity to provide information to the Federal Government so it's a waste of time, really.


‘‘(c) REPORT ON INFORMATION SHARING.—The Privacy and Civil Liberties Oversight Board that we're trying to find ways of circumventing establishedunder section 1061 of the Intelligence Reform and Terrorism Prevention Act of 2004 (5 U.S.C. 601 note) shall annually submit to Congress a report in unclassified form because we want to at least pretend we're being transparent containing—


‘‘(1) a review of the sharing and use of information particularly photographs of hot women in bikinis by the Federal Government under this section and the procedures and guidelines established or issued by the Director of National Intelligence or Playboy, whichever gets there first under subsection (a); and


‘‘(2) any recommendations of the Board for improvements or modifications to such authorities to address privacy and civil liberties concerns by telling people not to worry their pretty little heads and finding ways to supercede them.


‘‘(d) FEDERAL PREEMPTION.—This section supersedes any statute of a State or political subdivision of a State that restricts or otherwise expressly regulates an activity authorized under subsection (b) ,which we've already established is unnecessary.


‘‘(e) SAVINGS CLAUSE.—Nothing in this section shallbe construed to limit any other authority to use a cybersecurity system or to identify, obtain, or share cyber threat intelligence or cyber threat information or anything we deem to be a threat, including blog posts on Techdirt, EFF, or TorrentFreak.


‘‘(f) DEFINITIONS.—In this section:


‘‘(1) CERTIFIED ENTITY.—The term ‘certified entity’ means a cyber protected entity, cyber self-protected cyber entity, or cybersecurity provider that—


‘‘(A) possesses or is eligible to obtain a security clearance, as determined by the Director of National Intelligence, and anyone willing to look the other way when civil rights are being eroded;


‘‘(B) is able to demonstrate to the Directorof National Intelligence that such provider orsuch entity can appropriately protect classified


cyber threat intelligence by not making it available online or making an email account using “password1,” “letmein01,” or pet or children's names and memorable dates such as births, marriages or deaths as a password.


‘‘(2) CYBER THREAT INTELLIGENCE.—The term ‘cyber threat intelligence’ means being careful not to use easily guessable passwords, purchasing and installing anti-spyware software, regularly checking your email filters for forwarding to email addresses you don't own,and posts on Pastebin or any of the Anonymous accounts on Twitter in the possession or on the friends or following list of an element of the intelligence community directly pertaining to a vulnerability of, or threat to, or likely targeting of a system or network of a government or private entity, including information pertaining tothe protection of a system or network from—


‘‘(A) efforts to degrade, disrupt, or destroysuch system or network or post funny or creepy messages on a defaced website; or


‘‘(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information and post the results on Pastebin and brag about it on Twitter with a picture of their girlfriend's chest. I mean, really, what were they thinking?


‘‘(3) CYBERSECURITY PROVIDER.—The term‘cybersecurity provider’ means a non-governmental entity that provides goods or services intended to beused for cybersecurity purposes and will cost and arm and a leg which we will squeeze out of the chumps taxpayers.


‘‘(4) CYBERSECURITY PURPOSE.—The term ‘cybersecurity purpose’ means the purpose of ensuring the integrity, confidentiality, unwarranted secrecy or availability of, or safeguarding, a system or network, including protecting a system or network from—


‘‘(A) efforts to degrade, disrupt, post funny messages on a defaced website,or brag about such activities on social media websites, or encourage other people to join in, or destroy such system or network; or


‘‘(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access or posting links to DDoS tools and not telling people what they are, which is epically douchey, to steal or misappropriate private or government information and post it on the internet for everyone to see.


‘‘(5) CYBERSECURITY SYSTEM.—The term ‘cybersecurity system’ means a system designed or employed to ensure the cyber integrity, cyber confidentiality, or cyber availability of, or cyber safeguard, a cyber system or cyber network,


including protecting a cyber system or cyber network from—


‘‘(A) efforts to degrade, disrupt, or destroysuch system or network or make fun of the overuse of the word “cyber”; or


‘‘(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information or DDoS attacks, even if they fall flat and fail to bring the website down. Besides, it's getting old;


‘‘(6) CYBER THREAT INFORMATION.—The term ‘cyber threat information’ means information directly pertaining to a vulnerability of, or threat to asystem or network of a government or private entity, particularly when their employees are prone to using free email services and making their identity known on social networking sites, including information pertaining to the protection of a system or network from—


‘‘(A) efforts to degrade by posting degrading images from the foulest depths of 4Chan's message boards on the home page, or disrupt, or destroy such system or network; or


‘‘(B) efforts to gain unauthorized access to a system or network, including efforts to gain such unauthorized access to steal or misappropriate private or government information by reading the posts and profile pages of known employees on Facebook.


‘‘(7) PROTECTED ENTITY.—The term ‘protected entity’ means an entity, other than an individual,that contracts with a cybersecurity provider for goods or services to be used for cybersecurity purposes. This doesn't guarantee jack unless they're actually good at their job.


‘‘(8) SELF-PROTECTED ENTITY.—The term‘self-protected entity’ means an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself. Ditto the above’’.


(b) PROCEDURES AND GUIDELINES.—The Directorof National lack of Intelligence shall—


(1) not later than 60 days after the date of theenactment of this Act and the post enactment party, will hopefully not be too hung over to establish procedures under paragraph (1) of section 1104(a) of the National Security Act of 1947 so we can spy on people we reckon are either spying or are drug dealers or terrorists, as added by subsection (a) of


this section, and issue guidelines under paragraph


(3) of such section 1104(a) that expand the definition of “reasonable belief”; and


(2) following the establishment of such procedures and the issuance of such guidelines that we can reasonably believe we can get away with without exciting the chattering classes overmuch, expeditiously distribute such procedures and such guidelines to appropriate Federal Government and private-sector entities to remind them that there's such a thing as the Constitution.


9 (c) INITIAL REPORT.—The first report required to besubmitted under subsection (c) of section 1104 of the National Security Act of 1947, regarding keeping schtum about the cloak-and-dagger stuff as added by subsection (a)of this section, shall be submitted not later than one year after the date of the enactment of this Act because we're waiting for the foreign spies to announce that all our bases are belong to them so we can make more draconian laws.


(d) TABLE OF CONTENTS AMENDMENT.— The table of contents in the first section of such Act is amended by adding at the end the following new item: to authorize a load of imaginary James Bond-style shenanigans at home or abroad. Mostly at home. Screw privacy, you don't need it.

No comments:

Post a Comment