The security community’s reaction as CISA passes US Senate
On Tuesday, the US Senate has passed the Cybersecurity Information Sharing Act (CISA), a legislation that will allow companies to share information about the cyber attacks they suffered with government agencies, without having to worry about getting sued by users for breach of privacy.
Opponents of the bill – both various companies and privacy advocates – worry that CISA will be used by the government to perform surveillance, as it contains no strong protection of US citizens’ privacy rights.
What’s even worse, the EFF says, is that CISA doesn’t address the real cybersecurity problems that caused computer data breaches like Target and the US Office of Personnel Management.
“The bill now moves to a conference committee despite its inability to address problems that caused recent highly publicized computer data breaches, like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links,” they noted.
Here are some reactions from the security community Help Net Security received about the passing of the bill.
Justin Harvey, CSO at Fidelis Cybersecurity
I’m disappointed to see lawmakers ignore the protests and concerns from the cybersecurity community, as well as corporations who have issued concerns over the legislation. During the lifespan of this bill, it was never apparent to the American public who was really pushing the legislation. I don’t feel like this process was very transparent.
And I don’t believe the bill is doing enough to ensure we stay ahead of the hackers. Encouraging companies to share their cyber threat intelligence indicators is not the answer. They can already do this with DHS and the US CERT. Catching attackers with threat intelligence is only effective if someone else has seen the threat before. Many of today’s attacks are signature-less, which means they’ve never been seen before.
Regarding the strong opposition to the bill, that opposition was centered on the privacy aspect. The bill essentially allows for a loose interpretation of “cyber threat intelligence” and makes companies immune from prosecution by allowing them to share it with any government agency directly, including the NSA. This moves us back into an Edward Snowden situation where companies can collect metadata on citizens under the thin veil of “collecting threat data” and share it directly with the NSA. In my opinion, the Senate passed this bill largely under intense pressure from the NSA and other gov’t intelligence agencies.
Carl Herberger, VP Security Solutions at Radware
In the initial conventional design of the constitution, and amendments thereafter, the right to privacy was not endowed to us and does not make up the conscience of our jurisprudence system of government today. Simply put, there is no overall right to privacy in the United States. However, there will be real consequences of not having a national privacy law- namely that data breaches will grow exponentially.
The threat landscape is changing with great velocity. Without a law governing the human aspect of privacy, people will continue to steal, borrow and monetize this valuable asset until it no longer holds meaning. Delay of national privacy legislation is directly related to financial loss and national economic competitiveness. Financial institutions will be the great bearers of these costs as consumers demand to have their institutions restitute their damages.
French Caldwell, Chief Evangelist at MetricStream
CISA has become a personal issue for a lot of people. Libertarians are strongly opposed and it’s easy to sympathise with that position.
The libertarian argument is though that, even with the privacy protections, this bill inherently increases government surveillance powers, and how do we know for certain that the government will not abuse the increased surveillance? Once the door is opened to this type of information sharing, there may be a risk over time of even more surveillance powers being granted to the government. For instance, might sharing go from voluntary to mandatory over time?
In talking to those security people on the front lines at banks, electrical utilities, energy companies, and hospitals, I have learned that they are fighting a war. Well financed gangs of criminal hackers are attacking businesses and government agencies daily. And as we’ve seen over the last few years, nation-states are attacking companies to steal intellectual property and probe for weaknesses in critical infrastructure. In the aggregate, these cyberattacks amount to cyberwar.
Is this type of surveillance absolutely necessary? The answer may vary industry to industry. The sharing of information is voluntary. Businesses are not required to do so, but there are clear benefits to doing so. Entities who share will have access to the pooled cyberthreat intelligence of the system that is maintained by DHS. Participants can also gain access to classified and unclassified threat analysis from the federal government. There are significant privacy protections in the legislation, and participants also will enjoy liability protections from anti-trust rules.
Richard Parris, CEO of Intercede
The rise of data breaches have no doubt influenced the Senate’s decision to pass the Cybersecurity Information Sharing Act (CISA). Consumers are concerned over the risk of personal data exposure – in fact, less than five percent of Millennials polled believe there are effective safeguards in place to protect their personal identifying data online today. Furthermore, fifty-four percent of Millennials claim the failure of business and government to implement better security will lead to public distrust. CISA is an attempt by the government to address some of these concerns and prevent future data breaches by providing a mechanism for the public and private sectors to share cybersecurity threat information.
CISA almost did not pass the Senate, because of concerns expressed by privacy advocates, that shared threat information may include the personally identifiable information of individuals. The privacy concerns raised are no surprise – twenty-three percent of Millennials already believe the government is accessing their data regardless of their consent, and greater than eighty percent state it is “very important” or “vital” for their personal identifying data to only be shared with those they have authorized specific access to it. With only seventeen percent of Millennials stating a “complete” trust in government institutions, focusing on proper identity management will be key to striking the balance citizens’ are demanding between maintaining network security and maintaining data privacy.