The Cybersecurity Information Sharing Act (CISA) is a done deal. But the debate over both its security value and privacy implications isn’t. It lingers, in some cases more intense than ever.
The mere fact that it has become law is historic – there have been numerous attempts in Congress, spanning nearly a decade, to craft a bill that would enable the sharing of cyber-threat indicators among government and private-sector entities without creating liability risks for companies or jeopardizing personal privacy.
And CISA, according to its proponents, comes as close as politically possible to achieving those goals. So while they were not gloating, they were relieved and gratified after it finally passed Congress in late December, tucked inside the 2016 Omnibus Appropriations bill (pages 1,728-1,863) and re-named the “Cybersecurity Act of 2015”.
They say it offers real hope of tipping the balance in favor of the good guys in combatting everything from corporate data breaches to other online crime, economic espionage and terrorism.
To Scott Talbott, senior vice president, government relations, at the Electronic Transactions Association, the value of sharing cyber threat indicators ought to be obvious.
“The value is that everyone can be alerted to cyber threats and take precautionary countermeasures before they materialize and spread,” he said. “Before CISA, corrective measures could be taken only after the cyber threat had done its damage. CISA allows each company to serve as an early warning system to the entire economy.”
Paul Rosenzweig, founder of Red Branch Law & Consulting and a former deputy assistant secretary for policy at the U.S. Department of Homeland Security (DHS), said complaints from opponents that CISA amounts to a surveillance bill are, “not grounded in a realistic assessment.
“Every law is capable of being abused,” he said, “but saying that CISA is a surveillance bill is like saying the law that created food stamps is an obesity bill.”
But that complaint from opponents – that CISA hands the government a major surveillance tool – remains persistent and vociferous.
“I think this bill was meant to be a surveillance bill from the start,” said Justin Harvey, CSO of Fidelis Cybersecurity, adding that he is dubious that the stated intent of the bill – to use collective intelligence to warn of potential cyber attacks and possibly stop them before they occur – will result.
More likely, he said, is that the kind of government surveillance – collection of metadata – on citizens that was being conducted by the National Security Agency (NSA) before former NSA contractor Edward Snowden exposed it, will return.
“Under the guise of ‘sharing threat intelligence,’ this bill allows companies to wholesale collect what is known as a ‘cyber threat indicator’ and pass it along for review to determine if it is a threat, or if the U.S. government has knowledge of the indicator,” he said.
Harvey noted that a number of proposed amendments that sought to tighten privacy provisions – one by Sen. Al Franken (D-Minn.) would have required a strict definition of “cyber threat indicator” – failed to pass.
The failure of that amendment, he said, “means that companies, and the U.S. government, can determine, on the fly, what a cyber threat indicator is.”
He said that leaves the matter wide open, to the point that government could decide that even an encryption key is a threat. “With no definition of what these indicators are, government can decide what is relevant,” he said.
That concerns David Williamson, vice president of professional services at MetricStream, as well. The incentives in the bill, he said, are for companies, “to pass information about people that can't be proven not to be threat indicators – did we all follow that? – to the DHS and then to the NSA, where it will be linked to other information the feds keep on its citizens.
“Once aggregated, linked and shared among the various federal agencies, there are no limits to the purposes for which this information can be used,” he said.
Evan Greer, campaign director of Fight For The Future, said in a prepared statement that the data collected will, “inevitably be used to investigate, prosecute, and incarcerate more people, deepening injustices in our society while failing to improve security.”
And Ben Desjardins, director of security solutions at Radware, said CISA could even undermine security. The collection and hoarding of threat data by a government that has failed to protect its own workers’ privacy (a reference to the catastrophic hack of the Office of Personnel Management last year that compromised the personal information of an estimated 21.5 million current and former federal workers), he said, will, “expand the attack surface and create a high target treasure trove of data.”
Sen. Dianne Feinstein (D-Calif.), vice chairwoman of the Senate Intelligence Committee and a sponsor of CISA, has complained a number of times that the bill’s opponents had been “spreading misinformation” about it. She said, before the Senate’s 74-21 passage of the bill in October, that it had gone through a number of iterations to add “substantial” privacy provisions.
But privacy advocates like the Electronic Freedom Foundation (EFF) continue to insist that the final bill, “does not fix any core privacy concerns.”
In a statement, the group said CISA, even after some final amendments, “remains a fundamentally flawed bill, which already suffers from broad immunity clauses, vague definitions and aggressive spying authorities.”
And Robyn Green, policy counsel at New America's Open Technology Institute, has regularly called it, “train wreck for privacy and security.”
One might argue that the PII (personally identifiable information) of U.S. citizens is already in government hands – it is the government that issues or keeps records of identifiers like Social Security numbers, drivers licenses, property deeds, passports etc.
But Harvey said the privacy risk is not about basic PII. “This is about the metadata, and data, of our online activities,” he said. “Enterprises and the government will decide what is classified as an indicator, and if that happens to be all of your browsing history, unencrypted – possibly even encrypted – communications, clear-text emails and so on, it is allowed under the bill. “
Proponents say this exaggerates the privacy threat. They note that the portal through which threat indicators are shared will not be run by military or intelligence agencies, but by the civilian DHS.
Susan Hennessey, general counsel of the Lawfare Institute and managing editor of the Lawfare blog, wrote in a recent post that the DHS information sharing portal, called the Automated Indicator Sharing (AIS) system, “has been up and running for months,” in response to President Obama’s Presidential Policy Directive 21 and Executive Order 163636.
And she said DHS has designed the portal to eliminate personal information. “If an entity attempts to share information not within the designated portal fields, the data is automatically deleted before reaching DHS,” she wrote. “Think of an online form for, say, making a flight reservation: If you try to enter your favorite animal in the credit card field, it just doesn’t work.”
That, she said, minimizes, “the risk of ingesting PII that is not itself a component of the threat indicator.”
Opponents remain unconvinced. Stripping out some PII before it is shared with other agencies is “fruitless,” Williamson said. “Once it is enriched with other public and private data, it will give government agencies nearly boundless information about its citizenry.”
Desjardins agreed. “The differences between surveillance and threat monitoring are really shades of gray,” he said. “The vague language of what would be classified as cyber-threat indicators rightly has privacy advocates concerned that this is a wide-open path to sharing everything in the hopes of finding something deemed relevant.”
Williamson said his biggest concern is how future governments will use the powers granted by CISA. “The FBI and other security organizations quickly classified the Occupy Wall Street movement as a terrorist organization,” he said. “Who may tomorrow’s ‘terrorists’ be? The left? The right? People who vote out the current government? The IRS investigated the Tea Party in 2014. Who might be unpopular in the future?”
Harvey said the data privacy is “a global issue,” not just for corporations, government and data brokers but also, “Google, Facebook and almost every site that provides a service on the Internet.
The United States needs to follow the European Union’s lead in defining privacy protection law(s). The EU has the GDPR (General Data Protection Regulation). Where is ours?”