According to ‘70s hippie comics Cheech & Chong, “Everybody shares stuff, man.”
Maybe if it’s weed. But, apparently not if it’s cyber threat information.
Supposedly, creation of a federal framework for that kind of sharing among industries and government has been a priority for years for all parties involved – President Obama Congress and private sector enterprises that are under constant, ever-more-sophisticated attacks.
But after years of proposals, there are still no results. And if privacy and civil liberties advocates prevail in the current dustup, there won’t be any results this year either.
The latest effort – several bills on both the House and Senate side – have had varied success. Two House bills – the Protecting Cyber Networks Act, or PCNA (H.R. 1560) and the National Cybersecurity Protection Advancement Act of 2015, or NCPAA (H.R. 1731) – easily passed and were combined into one labeled H.R. 1560.
A Senate bill, the Cyber Information Sharing Act (S. 754), proposed as an amendment to the National Defense Authorization Act, got the declared support of the White House earlier this month.
But it faces withering opposition from privacy and civil liberties organizations, and even from the federal government’s own Department of Homeland Security which, in a letter to Sen. Al Franken (D-Minn.), warned that the sharing provisions of the bill, “could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.”
The private sector opponents of the bill were much more broad and blunt in their criticism. In a letter to the president dated July 27, 40 organizations and 31 individuals urged him to veto the bill, contending that it violated the administration’s own stated priorities to, “preserve Americans’ privacy, data confidentiality, and civil liberties and recognize the civilian nature of cyberspace.”
Robyn Green, policy counsel at New America's Open Technology Institute –one of the signatories – said that CISA, “completely fails to address the president's stated priorities for information sharing legislation … it's a train wreck for privacy and security, and Congress simply needs to go back to the drawing board."
Lee Tien, senior staff attorney and Adams Chair for Internet Rights at the Electronic Frontier Foundation (which also signed the letter), said that the word “sharing” is, “such a euphemism. The bills are about monitoring other people’s communications and sending those communications or information from or about those communications to the U.S. government. Surveillance, in other words.”
The Senate is in recess this month, and the staff of Sen. Richard Burr (R-NC), chairman of the Senate Intelligence Committee and sponsor of CISA, did not respond to a request for comment. But Sen. Dianne Feinstein (D-Calif.), vice-chair of the committee, noted in March that the bill had been reported out of the committee on a 14-1 vote. And she complained that opponents were spreading “misinformation” about it.
“The goal of the bill is for companies and the government to voluntarily share information about cybersecurity threats – not personal information – in order to better defend against attacks," she said, adding that the committee had made, “more than a dozen significant changes from last year's version. The privacy provisions are substantial and I believe address many of the concerns that had been raised in regard to earlier drafts of the bill."
For anybody following the issue, this sounds like déjà vu all over again.
It was three years ago, in 2012, that a number of bills – the most prominent called the Cyber Information Sharing and Protection Act (CISPA) – were also the subject of fierce debate, over the same issues.
While initially supported by industry in general, that support began to erode when Mozilla, the nonprofit Internet search firm, came out against it. The company said CISPA, “has a broad and alarming reach that goes far beyond Internet security. The bill infringes on our privacy, includes vague definitions of cyber security, and grants immunities to companies and government that are too broad around information misuse.”
Former U.S. Rep. and Republican presidential candidate Ron Paul described it as, “Big Brother writ large, putting the resources of private industry to work for the nefarious purpose of spying on the American people.”
Opponents of CISA contend it has the same problems. The letter to Obama argued that it, “fails to protect users’ personal information. It allows vast amounts of personal data to be shared with the government, even that which is not necessary to identify or respond to a cybersecurity threat.”
The bill, as written, also authorizes government at all levels, “to use cyber threat indicators to investigate crimes that have nothing to do with cybersecurity, such as robbery, arson, and carjacking, as well as identity theft and trade secret violations,” the letter said.
All of which prompts at least two questions: Is it even possible to craft a bill that encourages threat information sharing while still protecting privacy and civil liberties? And is it worth continuing to try?
According to Tien, such legislation is not really necessary. “Over and over, we hear senators, and the White House, solemnly insist that information sharing is needed,” he said. “Yet they can’t even begin to connect failures of information sharing to the attacks and data breaches we read about, such as Target, Neiman-Marcus, OPM (federal Office of Personnel Management) or Ashley Madison.”
The problem, he said, is weak security. He cited the recent 3-0 U.S. 3rd Circuit Court of Appeals’ decision upholding the Federal Trade Commission’s (FTC) authority to sue the Wyndham hotel chain for lax security that resulted in breaches in 2008 and 2009, compromised the data of more than 600,000 customers and led to $10.6 million in fraudulent charges.
The court’s written decision said the problem was not “weak” firewalls, IP address restrictions, encryption and passwords, but rather that in many cases, there weren’t “any” security measures in place. And it acidly noted that, “Wyndham did not respond to this argument in its reply brief.”
“That’s another great example of the irrelevance of information ‘sharing’,” Tien said calling it, “a solution in search of a problem. Or perhaps it’s a solution to some other problem, but not that of computer security.”
Joel Harding, a retired military intelligence officer and information operations expert, disagrees with Tien about the value of information sharing. “My background in cybersecurity is from a U.S. government perspective, so I naturally tend to promote information sharing in order to more accurately portray the developing situation,” he said, adding, “I still feel that way.”
But he agrees with him and other CISA critics that the bill does not contain, “enough protections for people or corporations whose information may be shared throughout the government. All too often we have seen information not adequately protected and sensitive personal and corporate information gets into the wrong hands,” he said.
Whatever the flaws in CISA, there are voices in the private sector that support some kind of information sharing legislation. One of them, the Society for Information Management's Advanced Practices Council, has formed the CIO Coalition for Open Security, whose members advocate for it.
Madeline Weiss, director of the council, said the coalition favors legislation that would accomplish three main objectives:
- Create a forum for organizations to identify the best tools for information sharing and cyber resiliency.
- Create an anonymous database of cyber attack and breach information.
- Support federal legislation that offers liability protections for firms that share threat information.
In a post last October on CIO Insight, Weiss noted that information sharing amounts to “collective intelligence. We need to connect people and computers, so that collectively they act more intelligently than any individual, group or computer has ever done,” she wrote.
One member of the coalition, the CIO for a Fortune 1000 company who declined to be identified, said the goal is to, “eliminate all obstacles that currently get in the way of entities sharing their cyber attacks and threats as they occur. Legislation that protects them from any form of backlash or retribution or legal risk in sharing this information is required to make this happen,” he said.
Evidence of that need, he said, is the court ruling on the FTC’s suit against Wyndham. For organizations that are breached, “apart from towering legal fees and a damaged reputation, now an appeals court has confirmed that the FTC can slap you with fines as well,” he said.
Legislative protection, he argued, would, “eliminate the time lag between when you know you've been hacked or exposed and when you report it.”
Whether that is possible is anyone’s guess. During the 2012 debate over CISPA, Harding noted that, “we have been discussing this issue for close to 15 years. I even did my MBA thesis on it.”