Last week Rep. Cicilline (D,RI) introduced HR 2977,
the Consumer Privacy Protection Act of 2015. While the bulk of this bill is
yet another personally identifiable information breach notification bill, it
does (as I
suspected) it does include criminal statute provisions that are not
directly related to breach notification. Two of those provisions may have
effects on control system security issues.
Those two provisions are:
Section 103. Authority to shut down
botnets.
Section 104. Deterring the
development and sale of computer and cell phone spying devices.
Botnets
Section 103 only actually refers to ‘botnets’ in the title
of the section. What it actually does is amend 18
USC 1345 to specifically allow the use of injunctive relief to stop
activities “violating section 1030(a)(5) [18
USC 1030] where such conduct would damage (as defined in section 1030), 100
or more protected computers (as defined in section 1030) during any 1-year period,
including by denying access to or operation of the computers, installing
unwanted software on the computers, using the computers without authorization,
or obtaining information from the computers without authorization” {new §1345(a)(1)}.
The §1030(a)(5)
violation really targeted for shutting down botnets would be found in
sub-paragraph (A); “knowingly causes the transmission of a program,
information, code, or command, and as a result of such conduct, intentionally
causes damage without authorization, to a protected computer”. This would also
apply to other types of remote attacks, including drive-by download attacks via
3rd party web sites.
It is clear from the new paragraph (c) that is also added to
§1345 that in
regards to botnets the bill intends the AG to use this power to seek
injunctions against third party service providers that are not culpable in the
operation of the botnet. That paragraph allows the AG to include in the
petition for injunction provisions that {new §1345(c)(2)}:
∙ Specify that no cause of action shall lie in any court against a
person for complying with the restraining order, prohibition, or other action;
and
∙ Provide
that the United States shall pay to such person a fee for reimbursement for such
costs as are reasonably necessary and which have been directly incurred in
complying with the restraining order, prohibition, or other action.
Sale of Computer and
Cell Phone Spying Devices
Section 104 does not attempt to make it illegal to sell
computer or cell phone spying devices; that is apparently already covered under
18 USC 2512. What it does do is amend 18
USC 1956 by adding a violation of §2512
to the list of ‘specified unlawful activity’ covered by the money laundering
prohibition of §1956.
This would allow the government to go after the money trail of those that do
sell computer and cell phone spying devices.
Moving Forward
Cicilline is a relatively low ranking Democrat on the House
Judiciary Committee, one of three committees assigned to consider this bill. The
two provisions described above would be under the purview of Judiciary Committee. It is unlikely that he would have the pull to get this bill considered in
that committee and certainly not in the Energy and Commerce Committee or the
Financial Services Committee. With a number of other breach notification bills
wondering thru the House, it is extremely unlikely that this bill will be
considered by anyone.
Posts
No comments:
Post a Comment