Senate Passes Information Sharing Bill
The Senate, on Tuesday, passed their version of CISA, the Cybersecurity Information Sharing Act. The House passed their own version of it months ago.
The stated purpose of the act is to allow private companies to share “threat” information with the government and have immunity from being sued by their users for doing this.
Because of the poorly defined terms – like what threat information is- and the broad array of government agencies that the information can be shared with – like the FBI and NSA, along with the pretty weak protections against using this information against American citizens, many cyber security experts are calling this bill an intelligence gathering bill disguised as a bill to improve security.
In reality, this bill, in whatever form the House and Senate conference committees make it become, will do almost nothing to improve either the average citizen’s security or the government’s security. It would, for example, do nothing to stop the OPM breach because that was a unique attack – there were no indicators of that attack in the wild because the only place it existed was at OPM. Same for Anthem. Same for Home Depot.
Ignoring that, post Snowden, tech companies are extremely wary of sharing anything with the government – it is, to be honest, not good for business. To be seen as voluntarily sharing your and my data with the government is the kiss of death from a reputation standpoint.
In fact, Microsoft and the Justice Department are locked in mortal combat. The FBI wants Microsoft to bring data from Ireland back to the United States and give it to them. Microsoft says that doing that, absent an Irish court order would subject them to criminal charges in Ireland, so if you want the data, get an Irish court to tell us to do so. In Ireland. They have been fighting over this for almost two years (see article). Microsoft is fighting this because (a) it is good for PR and (b) they do not want to set a precedent that would likely get them sued in Europe. And, given the sentiment inside the EU after the Max Schrems/ECJ Safe Harbor decision, I don’t blame Microsoft.
More importantly, this will do little to nothing to improve security.
There has been an FBI-private industry relationship for over 10 years now called FBI-Infragard. This is a very simple way to share information with the government. Sharing data is not a problem.
There are dozens of ISACs or Information Sharing and Analysis Centers and ISAOs or Information Sharing and Analysis Organizations (there really isn’t much difference between the two. ISACs were originally focused on critical infrastructure, but many of them allow anyone in their particular vertical, like finance, to join). Companies that want to share data with their ISAC or ISAO can already do that.
At least for industry leaders, they are already sharing all the data they need. Sometimes informally, sometimes formally. They do not need CISA to do that because threat indicators rarely require the sharing of personally identifiable information.
So why is Congress pushing so hard for this new law.
Two reasons, in my opinion – other people may not want to be quite as cynical as me – but they might be.
Voter approval of Congress is in the single digits. It is worse than the approval rating of used car salespeople or debt collectors. With a Presidential, Congress and Senate election coming up next year, incumbents want to be able to pretend that they did something useful to reduce the number of cyber breaches when they go out and campaign. They are counting on people being too ill-informed to know that this law is next to useless.
More useful would be to provide oversight (which is their job) and provide funding. Just this week Congress refused to give OPM $38 million dollars to deal with their hundreds of millions of dollars in budget shortfall to improve their computer systems security. This is the agency that is still running at least one core system built in the 1960s.
The people who built that system likely have all died of old age by now, but the system is still running. Do you think that some threat information shared by, say, Facebook (who appears to be the only tech company in favor of CISA – even though that is political suicide – unlike Google, Microsoft and others, Facebook refuses to say that they oppose CISA) will help OPM protect against a mainframe based, COBOL system written in the 1960s? I didn’t think so.
Will sharing threat information solve the problem of tech executives who say that they won’t spend $10 million to avoid a possible $1 million loss – I will accept the risk (that would be Jason Spaltro, SVP of Information Security at Sony)? Sony accepted the risk and look what happened to them. The problem of course is that while you may guess that the $10 million number is right, you have no idea if the $1 million number is correct or is really $100 million, as Sony found out.
Will sharing some threat information stop 25% of a government agency’s employees from clicking on phishing emails? And almost none of them reporting it to their security team – 7% reported it. (That would be the USPS, by the way). I don’t think so.
So, as is often the case, Congress is taking the easy way out with CISA, rather than actually dealing with the real problem inside government – which is their responsibility to fix. Private industry is way ahead of the government, for the most part, even though private industry knows that they have a lot more work to do.
Sorry, I know this is mostly a rant, but it is important for people to understand that CISA will not make a difference no matter what some politician tells you in a sound bite.
Read the article below for more experts takes on the issue.
Information for this post came from Net-Security.
Interesting piece and thoughtful input on a very complex issue within the context of a very complex problem…thank you. This was not an easy piece to write.
A couple quick thoughts:
1. I think you are right…this bill is probably not going to make that much difference in the short-term, but the resistance it generated within parts of the tech industry reflect pain and therefore change of some sort.
2. The effort by the hundreds (or even thousands) of people it took to pass it probably was useful to those in government (and industry) who had to research, write, consider, and then vote one way or another. Now it is being read and considered by a much wider audience. All of this is part of a larger process of educating various segments of our society to the complexities of this issue–most importantly perhaps the government itself. It can be considered part of our security awareness training.
Perhaps the real value re this effort will come later with increased awareness and ultimately more meaningful legislation.
I agree that the conversation is important, but Congress must deal with the hard problems as well.
With the recent ECJ Safe Harbor ruling, this would have been an opportunity to signal our intentions to the E.U., which it did. Unfortunately, it was a signal that will only make negotiating a solution to the Safe Harbor ruling even more difficult.