Cyber sharing bill shares too much, critics say

Years of attempts to craft legislation that would promote sharing of cyber threat information within industry and government have gone nowhere. And this year’s efforts are facing the same kind of criticism – that what government calls “sharing” amounts to surveillance

According to ‘70s hippie comics Cheech & Chong, “Everybody shares stuff, man.”

Maybe if it’s weed. But, apparently not if it’s cyber threat information.

Supposedly, creation of a federal framework for that kind of sharing among industries and government has been a priority for years for all parties involved – President Obama Congress and private sector enterprises that are under constant, ever-more-sophisticated attacks.

But after years of proposals, there are still no results. And if privacy and civil liberties advocates prevail in the current dustup, there won’t be any results this year either.

The latest effort – several bills on both the House and Senate side – have had varied success. Two House bills – the Protecting Cyber Networks Act, or PCNA (H.R. 1560) and the National Cybersecurity Protection Advancement Act of 2015, or NCPAA (H.R. 1731) – easily passed and were combined into one labeled H.R. 1560.

A Senate bill, the Cyber Information Sharing Act (S. 754), proposed as an amendment to the National Defense Authorization Act, got the declared support of the White House earlier this month.

But it faces withering opposition from privacy and civil liberties organizations, and even from the federal government’s own Department of Homeland Security which, in a letter to Sen. Al Franken (D-Minn.), warned that the sharing provisions of the bill, “could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.”

The private sector opponents of the bill were much more broad and blunt in their criticism. In a letter to the president dated July 27, 40 organizations and 31 individuals urged him to veto the bill, contending that it violated the administration’s own stated priorities to, “preserve Americans’ privacy, data confidentiality, and civil liberties and recognize the civilian nature of cyberspace.”

Robyn Green, policy counsel at New America's Open Technology Institute –one of the signatories – said that CISA, “completely fails to address the president's stated priorities for information sharing legislation … it's a train wreck for privacy and security, and Congress simply needs to go back to the drawing board."

Lee Tien, senior staff attorney and Adams Chair for Internet Rights at the Electronic Frontier Foundation (which also signed the letter), said that the word “sharing” is, “such a euphemism. The bills are about monitoring other people’s communications and sending those communications or information from or about those communications to the U.S. government. Surveillance, in other words.”

The Senate is in recess this month, and the staff of Sen. Richard Burr (R-NC), chairman of the Senate Intelligence Committee and sponsor of CISA, did not respond to a request for comment. But Sen. Dianne Feinstein (D-Calif.), vice-chair of the committee, noted in March that the bill had been reported out of the committee on a 14-1 vote. And she complained that opponents were spreading “misinformation” about it.

“The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats – not personal information – in order to better defend against attacks," she said, adding that the committee had made, “more than a dozen significant changes from last year's version. The privacy provisions are substantial and I believe address many of the concerns that had been raised in regard to earlier drafts of the bill."

For anybody following the issue, this sounds like déjà vu all over again.

It was three years ago, in 2012, that a number of bills – the most prominent called the Cyber Information Sharing and Protection Act (CISPA) – were also the subject of fierce debate, over the same issues.

While initially supported by industry in general, that support began to erode when Mozilla, the nonprofit Internet search firm, came out against it. The company said CISPA, “has a broad and alarming reach that goes far beyond Internet security. The bill infringes on our privacy, includes vague definitions of cyber security, and grants immunities to companies and government that are too broad around information misuse.”

Former U.S. Rep. and Republican presidential candidate Ron Paul described it as, “Big Brother writ large, putting the resources of private industry to work for the nefarious purpose of spying on the American people.”

Opponents of CISA contend it has the same problems. The letter to Obama argued that it, “fails to protect users’ personal information. It allows vast amounts of personal data to be shared with the government, even that which is not necessary to identify or respond to a cybersecurity threat.”

The bill, as written, also authorizes government at all levels, “to use cyber threat indicators to investigate crimes that have nothing to do with cybersecurity, such as robbery, arson, and carjacking, as well as identity theft and trade secret violations,” the letter said.

All of which prompts at least two questions: Is it even possible to craft a bill that encourages threat information sharing while still protecting privacy and civil liberties? And is it worth continuing to try?

According to Tien, such legislation is not really necessary. “Over and over, we hear senators, and the White House, solemnly insist that information sharing is needed,” he said. “Yet they can’t even begin to connect failures of information sharing to the attacks and data breaches we read about, such as Target, Neiman-Marcus, OPM (federal Office of Personnel Management) or Ashley Madison.”

The problem, he said, is weak security. He cited the recent 3-0 U.S. 3rd Circuit Court of Appeals’ decision upholding the Federal Trade Commission’s (FTC) authority to sue the Wyndham hotel chain for lax security that resulted in breaches in 2008 and 2009, compromised the data of more than 600,000 customers and led to $10.6 million in fraudulent charges.

The court’s written decision said the problem was not “weak” firewalls, IP address restrictions, encryption and passwords, but rather that in many cases, there weren’t “any” security measures in place. And it acidly noted that, “Wyndham did not respond to this argument in its reply brief.”

“That’s another great example of the irrelevance of information ‘sharing’,” Tien said calling it, “a solution in search of a problem. Or perhaps it’s a solution to some other problem, but not that of computer security.”

Joel Harding, a retired military intelligence officer and information operations expert, disagrees with Tien about the value of information sharing. “My background in cybersecurity is from a U.S. government perspective, so I naturally tend to promote information sharing in order to more accurately portray the developing situation,” he said, adding, “I still feel that way.”

But he agrees with him and other CISA critics that the bill does not contain, “enough protections for people or corporations whose information may be shared throughout the government. All too often we have seen information not adequately protected and sensitive personal and corporate information gets into the wrong hands,” he said.

Whatever the flaws in CISA, there are voices in the private sector that support some kind of information sharing legislation. One of them, the Society for Information Management's Advanced Practices Council, has formed the CIO Coalition for Open Security, whose members advocate for it.

Madeline Weiss, director of the council, said the coalition favors legislation that would accomplish three main objectives:

- Create a forum for organizations to identify the best tools for information sharing and cyber resiliency.

- Create an anonymous database of cyber attack and breach information.

- Support federal legislation that offers liability protections for firms that share threat information.

In a post last October on CIO Insight, Weiss noted that information sharing amounts to “collective intelligence. We need to connect people and computers, so that collectively they act more intelligently than any individual, group or computer has ever done,” she wrote.

maeline weiss
Madeline Weiss, director, Society for Information Management's Advanced Practices Council

One member of the coalition, the CIO for a Fortune 1000 company who declined to be identified, said the goal is to, “eliminate all obstacles that currently get in the way of entities sharing their cyber attacks and threats as they occur. Legislation that protects them from any form of backlash or retribution or legal risk in sharing this information is required to make this happen,” he said.

Evidence of that need, he said, is the court ruling on the FTC’s suit against Wyndham. For organizations that are breached, “apart from towering legal fees and a damaged reputation, now an appeals court has confirmed that the FTC can slap you with fines as well,” he said.

Legislative protection, he argued, would, “eliminate the time lag between when you know you've been hacked or exposed and when you report it.”

Whether that is possible is anyone’s guess. During the 2012 debate over CISPA, Harding noted that, “we have been discussing this issue for close to 15 years. I even did my MBA thesis on it.”

Join the CSO newsletter!

Error: Please check your email address.

More about AdvancedElectronic Frontier FoundationFederal Trade CommissionFTCInsightMozillaTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place