There you have it. If you've ever wondered why Microsoft seems to take its sweet time fixing security bugs in its software, this provides a plausible explanation: The spooks weren't done exploiting them yet. As to whose computers were exploited and which side of the Atlantic and Pacific they resided on, your guess is as good as anyone's.
All of this is completely legal, by the way. Companies are sharing the data voluntarily, and because it doesn't include personally identifiable information, not even the kangaroo court known as FISA need be involved.
The CISPA connection
But it does bring the push for CISPA into clearer focus.
We've been told that the Cyber Intelligence Sharing and Protection Act is a desperately needed piece of legislation to allow companies to share information about cyber attacks with law enforcement. What it really sounds like, though, is an attempt to codify and expand intelligence gathering in the opposite direction -- to retroactively justify the secret data sharing that's already going on and expand it to include personal information.
Who's the big sponsor behind CISPA? Rep. Mike Rogers (R-Mich.), who happens to be chair of the House Intelligence Committee (an oxymoron if ever there was one) and has surely been secretly briefed on all of this and much more.
Here's what I wrote about CISPA last April, after it cleared the House by a vote of 288 to 127:
The problem with CISPA is that in its current form it's still vague and ripe for abuse. It absolves corporations of being responsible for what happens to the data they've collected. It allows data sharing with the entire federal government, not just the parts responsible for ensuring our safety. It circumvents other laws designed to limit governmental access to private information. And it can be deployed for a wide range of perceived threats that have nothing to do with attacks on our nation's infrastructure. In that it is very much like the Patriot Act, which was allegedly written to combat terrorists but ended up being used primarily against run-of-the-mill drug dealers, money launderers, tree-huggers, and vegetarians (yes, really).
Is North Korea a threat to our nation's infrastructure? Possibly. WikiLeaks, not so much. But to the legislators who came up with CISPA there's little difference.
None of that has changed. But given the revelations we've witnessed over the past week -- and no doubt more to come -- it should give pause to even staunch supporters of CISPA. Whether it has a similar affect on our government is less clear.
Should tech companies secretly share data with the spooks? Post your not-so-secret thoughts below or email me: email@example.com. (And no, I cannot guarantee the NSA won't read it first.)
This article, "NSA, PRISM, and CISPA: The conspiracy behind the conspiracy," was originally published at InfoWorld.com. Follow the crazy twists and turns of the tech industry with Robert X. Cringely's Notes from the Field blog, and subscribe to Cringely's Notes from the Underground newsletter.