Information sharing bill passes, but privacy debate goes on

The controversial Cyber Information Sharing Act (CISA) is now law. But opponents, who say it will function mainly as a government surveillance tool, are not standing down

The Cybersecurity Information Sharing Act (CISA) is a done deal. But the debate over both its security value and privacy implications isn’t. It lingers, in some cases more intense than ever.

The mere fact that it has become law is historic – there have been numerous attempts in Congress, spanning nearly a decade, to craft a bill that would enable the sharing of cyber-threat indicators among government and private-sector entities without creating liability risks for companies or jeopardizing personal privacy.

And CISA, according to its proponents, comes as close as politically possible to achieving those goals. So while they were not gloating, they were relieved and gratified after it finally passed Congress in late December, tucked inside the 2016 Omnibus Appropriations bill (pages 1,728-1,863) and re-named the “Cybersecurity Act of 2015”.

They say it offers real hope of tipping the balance in favor of the good guys in combatting everything from corporate data breaches to other online crime, economic espionage and terrorism.

To Scott Talbott, senior vice president, government relations, at the Electronic Transactions Association, the value of sharing cyber threat indicators ought to be obvious.

“The value is that everyone can be alerted to cyber threats and take precautionary countermeasures before they materialize and spread,” he said. “Before CISA, corrective measures could be taken only after the cyber threat had done its damage. CISA allows each company to serve as an early warning system to the entire economy.”

scott talbott

Scott Talbott, senior vice president, government relations, Electronic Transactions Association

Paul Rosenzweig, founder of Red Branch Law & Consulting and a former deputy assistant secretary for policy at the U.S. Department of Homeland Security (DHS), said complaints from opponents that CISA amounts to a surveillance bill are, “not grounded in a realistic assessment.

“Every law is capable of being abused,” he said, “but saying that CISA is a surveillance bill is like saying the law that created food stamps is an obesity bill.”

But that complaint from opponents – that CISA hands the government a major surveillance tool – remains persistent and vociferous.

“I think this bill was meant to be a surveillance bill from the start,” said Justin Harvey, CSO of Fidelis Cybersecurity, adding that he is dubious that the stated intent of the bill – to use collective intelligence to warn of potential cyber attacks and possibly stop them before they occur – will result.

More likely, he said, is that the kind of government surveillance – collection of metadata – on citizens that was being conducted by the National Security Agency (NSA) before former NSA contractor Edward Snowden exposed it, will return.

“Under the guise of ‘sharing threat intelligence,’ this bill allows companies to wholesale collect what is known as a ‘cyber threat indicator’ and pass it along for review to determine if it is a threat, or if the U.S. government has knowledge of the indicator,” he said.

justin harvey

Justin Harvey, CSO, Fidelis Cybersecurity

Harvey noted that a number of proposed amendments that sought to tighten privacy provisions – one by Sen. Al Franken (D-Minn.) would have required a strict definition of “cyber threat indicator” – failed to pass.

The failure of that amendment, he said, “means that companies, and the U.S. government, can determine, on the fly, what a cyber threat indicator is.”

He said that leaves the matter wide open, to the point that government could decide that even an encryption key is a threat. “With no definition of what these indicators are, government can decide what is relevant,” he said.

That concerns David Williamson, vice president of professional services at MetricStream, as well. The incentives in the bill, he said, are for companies, “to pass information about people that can't be proven not to be threat indicators – did we all follow that? – to the DHS and then to the NSA, where it will be linked to other information the feds keep on its citizens.

“Once aggregated, linked and shared among the various federal agencies, there are no limits to the purposes for which this information can be used,” he said.

Evan Greer, campaign director of Fight For The Future, said in a prepared statement that the data collected will, “inevitably be used to investigate, prosecute, and incarcerate more people, deepening injustices in our society while failing to improve security.”

evan greer

Evan Greer, campaign director, Fight For The Future

And Ben Desjardins, director of security solutions at Radware, said CISA could even undermine security. The collection and hoarding of threat data by a government that has failed to protect its own workers’ privacy (a reference to the catastrophic hack of the Office of Personnel Management last year that compromised the personal information of an estimated 21.5 million current and former federal workers), he said, will, “expand the attack surface and create a high target treasure trove of data.”

Sen. Dianne Feinstein (D-Calif.), vice chairwoman of the Senate Intelligence Committee and a sponsor of CISA, has complained a number of times that the bill’s opponents had been “spreading misinformation” about it. She said, before the Senate’s 74-21 passage of the bill in October, that it had gone through a number of iterations to add “substantial” privacy provisions.

But privacy advocates like the Electronic Freedom Foundation (EFF) continue to insist that the final bill, “does not fix any core privacy concerns.”

In a statement, the group said CISA, even after some final amendments, “remains a fundamentally flawed bill, which already suffers from broad immunity clauses, vague definitions and aggressive spying authorities.”

And Robyn Green, policy counsel at New America's Open Technology Institute, has regularly called it, “train wreck for privacy and security.”

One might argue that the PII (personally identifiable information) of U.S. citizens is already in government hands – it is the government that issues or keeps records of identifiers like Social Security numbers, drivers licenses, property deeds, passports etc.

But Harvey said the privacy risk is not about basic PII. “This is about the metadata, and data, of our online activities,” he said. “Enterprises and the government will decide what is classified as an indicator, and if that happens to be all of your browsing history, unencrypted – possibly even encrypted – communications, clear-text emails and so on, it is allowed under the bill. “

Proponents say this exaggerates the privacy threat. They note that the portal through which threat indicators are shared will not be run by military or intelligence agencies, but by the civilian DHS.

Susan Hennessey, general counsel of the Lawfare Institute and managing editor of the Lawfare blog, wrote in a recent post that the DHS information sharing portal, called the Automated Indicator Sharing (AIS) system, “has been up and running for months,” in response to President Obama’s Presidential Policy Directive 21 and Executive Order 163636.

And she said DHS has designed the portal to eliminate personal information. “If an entity attempts to share information not within the designated portal fields, the data is automatically deleted before reaching DHS,” she wrote. “Think of an online form for, say, making a flight reservation: If you try to enter your favorite animal in the credit card field, it just doesn’t work.”

That, she said, minimizes, “the risk of ingesting PII that is not itself a component of the threat indicator.”

Opponents remain unconvinced. Stripping out some PII before it is shared with other agencies is “fruitless,” Williamson said. “Once it is enriched with other public and private data, it will give government agencies nearly boundless information about its citizenry.”

Desjardins agreed. “The differences between surveillance and threat monitoring are really shades of gray,” he said. “The vague language of what would be classified as cyber-threat indicators rightly has privacy advocates concerned that this is a wide-open path to sharing everything in the hopes of finding something deemed relevant.”

Williamson said his biggest concern is how future governments will use the powers granted by CISA. “The FBI and other security organizations quickly classified the Occupy Wall Street movement as a terrorist organization,” he said. “Who may tomorrow’s ‘terrorists’ be? The left? The right? People who vote out the current government? The IRS investigated the Tea Party in 2014. Who might be unpopular in the future?”

Harvey said the data privacy is “a global issue,” not just for corporations, government and data brokers but also, “Google, Facebook and almost every site that provides a service on the Internet.

The United States needs to follow the European Union’s lead in defining privacy protection law(s). The EU has the GDPR (General Data Protection Regulation). Where is ours?”

Join the CSO newsletter!

Error: Please check your email address.

More about CSOEFFEUFacebookFBIFreedomGoogleIRSNational Security AgencyNSARadwareTechnologyWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place