November 18, 2015 // By Michael Lester
Most people in the security realm know that the Cybersecurity Information Sharing Act (CISA) passed the Senate recently. Government groups are lauding the bill as the next step in the cybersecurity battle while those with an eye towards individual privacy are decrying it for further eroding American citizens' right to privacy.
[Side bar: It might come as a shock to most American’s that there is no “Right to Privacy” in the United States. The sixth article of the Bill of Rights guarantees that “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated…” but this doesn’t guarantee “Privacy”.]
What does CISA do?
CISA makes it easier for private companies to share cybersecurity information with agencies of the federal government.
Why is this good?
Since private companies can share information with federal agencies, those agencies can get a better idea of what threats are active and persistent and can focus resources on combating those threats. For example, a number of large companies might all be experiencing attacks on their network originating from the same source. Without CISA, none of those companies would know anything other than the fact that they themselves were being attacked. With CISA, these companies could share information with federal agencies who would then be able to see the larger picture and focus resources on the source of the problem thus helping all of the industry at once rather than just helping one company at a time.
CNN summed up CISA as, "Every cyberattack is like a flu virus, and CISA is intended to be a lightning-fast distribution system for the flu vaccine. Opt in, and you get a government shot in minutes, not months."
Why is this Bad?
Like so many things, the devil is in the details, and it is the details that matter.
CISA allows private companies to share data with The Department of Homeland Security (DHS). Yes...the same government agency that failed detecting bombs and guns recently in 67 of 70 attempts to pass those items through security. After DHS has the data, the flood gates open and DHS must share the information with "any Federal agency or department, component, officer, employee, or agent of the Federal Government." That includes the NSA, the CIA, the FBI, the IRS, and even The Overseas Private Investment Company (Yep…that’s an actual government agency). CISA requires that personal information be removed from the information shared, but it also allows the government unprecedented access to that information and protection from prosecution if they fail to remove personal information.
Most opponents dislike CISA for two reasons: First, it really doesn’t do much for securing systems and instead focused on responding to attacks, not preventing them in the first place. Second, the language of the act is so vague that lawyers are already scratching their heads trying to figure out what limits actually exist. For example, data from private companies can be shared among government agencies for "the purpose of responding to, or otherwise preventing or mitigating, a serious threat to a minor, including sexual exploitation and threats to physical safety." Protecting minors online is a good thing, but the verbiage is pretty broad, and has nothing to do with cybersecurity.
CISA also prevents private individuals and private corporations from seeking damages or redress from damage caused them by the sharing of information that includes their private information, and any information shared is specifically shielded from the Freedom of Information Act.
CISA is very similar to the Cyber Intelligence Sharing and Protection Act (known as CISPA) that failed in congress due to widespread opposition from the private sector and eventual condemnation by the white house.
Who supports it?
Well…not surprisingly…government agencies. They want more direct access to private firms’ information. The bills cosponsors are obviously in favor of it. They are senators Dianne Feinstein (D-CA) and Richard Burr (R-NC). The DHS was originally in favor of the bill, but has since expressed concern about the provisions requiring it to broadly share the information it receives.
Other commercial groups that support CISA are: The United States Chamber of Commerce, the National Cable & Telecommunications Association, and the Financial Services Roundtable
Who Opposes it?
Thirty major technology companies and privacy groups including the ACLU, Apple, Google, Facebook, Yahoo, Twitter, Reddit, Yelp, the Wikimedia Foundation, and The Electronic Frontier Foundation. And as mentioned above, even the DHS is against it in its current form.
My Personal Conclusion…
CISA is well intentioned but its wording is so broad and vague that it gives sweeping powers to the government with little control or recourse on the part of the individual or private industry. It is a step in the right direction, but it needs to be tightened up before it fairly balances cyber-security against privacy.
Michael Lester is the Chief Security Officer for Magenic. If you’d like to contact Magenic directly, email us or call us at 877-277-1044.