Management, compliance & auditing

The Cybersecurity Information Sharing Act of 2015 (CISA): Is It the Right Answer?

In attempt to further cybersecurity efforts for the nation, a brand new cybersecurity bill, the S. 754, has just been discussed: the Cybersecurity Information Sharing Act of 2015. The bill was introduced in the 114th Congress and quickly rose to the top of its agenda. Some relevant provisions of S.754 have already appeared in other bills proposed in legislation (PCNA and NCPAA), but it does present some significant differences that are causing much debate.

What is CISA?

CISA creates a system that would allow companies to interact with the government and share information important for cybersecurity defense, including data collected on users. Senate Bill S754 supports the automated exchange of cybersecurity data for "situational awareness, real-time network defense, and sophisticated threat characterization and response," explains Richard Struse, Chief Advanced Technology Officer, of DHS's National Cybersecurity and Communications Integration Center (NCCIC).

The bill basically allows (many say force) private industries to share information collected on their users with the Department of Homeland Security (DHS) that, in turn, would have to share it in real time with all other government agencies. Not only PII information, but also information on user behavior and habits (the type of data that some companies collect to target advertisement) would be potentially shared with sections of government. The bill would grant legal immunity and liability protection to companies who do share info that violates privacy. Though the bill includes a significant number of privacy protections (in Sections 4, 5, 6 and 7), still a number of concerns have to be resolved.

After several Senator submitted amendments to S. 754 to address some shady areas of the bill and in the attempt to fix what are perceived as CISA's serious flaws in privacy, the proposal is still being pushed through the legislation process quite successfully. In fact, on 27 October 2015, the bill passed the Senate with 74 YEAs, 21 NAYs and 5 Not Voting.

Info Sharing Legislation

CISA is definitely not the first bill that addresses information sharing for cybersecurity. A number of other measures have been introduced (such as NCCIC, CISCP, ECS, PCII, ISACs, TAXII, STIX and CybOX) over the years, and yet government believes such a bill is still essential for threat intelligence. Enactment of CISA would permit any information construed as a cybersecurity threat to be revealed; in the intention of the legislators, such information flow would allow taking prompt action to employ defensive measures in real time to identify and mitigate cyberattacks. The measure would also give permission to a private entity facing these threats to take appropriate steps to defend their own information networks and systems by using offensive measures or "hack back" methods as they see fit.

Mr. Burr, Chairman from the Select Committee on Intelligence recommended enacting S. 754 believing it is a critical step forward for improving cybersecurity in America. The Committee believes it is important that the bill becomes law, as it is the right approach in the investigation of any cybercrimes. The current CISA proposal "aims to sidestep search warrants and other pesky due-process limitations on government by giving technology companies a motive to 'share' what it calls 'cyber threat indicators' to the Department of Homeland Security," explains Mike Godwin, the director of innovation policy and general counsel for R Street Institute, in a Slate piece. CISA's purpose is to increase cyber-surveillance and help spread initial warnings of cyber-threats by information sharing.

However, there are doubts about whether information-sharing legislation is needed, as a means to enhance cybersecurity. Many of the concerns on CISA spur from section 4 of the bill, which authorizes operation of countermeasures, referred to as "defensive measures" in the legislation, says Jake Laperruque, a fellow on privacy, surveillance, and security at CDT. He sees a need to improve CISA in the areas of defensive actions a private entity may take. He has concerns for the protection and use of information across the different critical infrastructure sectors too. As he points out, the sharing arrangements with data being collected and then sent to the government could easily extend to additional third parties (i.e., other stakeholder organizations) with no need to know for non-cybersecurity purposes. Many also fear that the current version of the bill "will become a new avenue for the government to sweep up data, including emails, account passwords and Social Security numbers belonging to Americans," Giuseppe Macri, a reporter for InsideSources mentioned; the bill "could sweep away important privacy protections." The possible interference with the Freedom of Information Act also causes apprehension, as not everyone wants their data shared with intergovernmental entities.

Support and Opposition of CISA

Currently, several industries and business groups, including the U.S. Chamber of Commerce, back the CISA initiative saying it might help lessen the number cybersecurity incidents. The Cybersecurity Information Sharing Act (CISA) of 2015 is only about "Protecting America's Cyber Networks, Not Surveilling You." (Source: U.S. Chamber of Commerce) CISA is also considered a necessity because it creates a safe mechanism against 'frivolous' lawsuits, as the U.S. Chamber puts it. It gives, in fact, businesses liability protections (Section 6 of the bill) when personal information is embedded within the cyber threat indicators (CTIs) shared with entities (state, federal government agencies including the NSA, DHS NCCIC and local police) retrieving such data. No other form of protection against any legal liability for information sharing has been considered, until now.

Obviously, many oppose the measure, as they see the bill gives permission to new "spying powers." Some activists, in fact, ask if this is just an excuse for the feds to know more about the American people, and believe that CISA is another step towards harming liberty without actually improving cybersecurity.

A concern is also that CISA wouldn't lead to strengthening cyber defenses but actually, according to some security experts, by asking for a broad monitoring, it might inundate government with tons of information, and this could actually undermine cyber security. Even the Department of Homeland Security warned in a letter to Sen. Al Franken that the bill could mine private citizens' privacy and increase "complexity and difficulty" in responding to cyber security threats. The amount of information floating free within the federal government could easily extend to credit card histories, lists of goods purchased (aggregated, for example, from customer loyalty cards), and healthcare records (tracked by insurers).

Many privacy activists and a few lawmakers continue to advise that CISA remove (filter out) data about customers or people to the government, including any personable identifiable info (PII) that can be intercepted by hackers before sharing what may be threat data. This would require companies to "remove any information that the company knows is personal information unrelated to a cybersecurity threat," explained leading CISA critic Sen. Ron Wyden (D-Ore.). He actually addressed President Obama on the issue of privacy of data collected. "There is a saying now in the cybersecurity field, Mr. President: if you can't protect it, don't collect it. If more personal consumer information flows to the government without strong protections, my view is that's going to be a prime target for hackers."

CISA and Tech Companies

The tech world seems divided, but in reality, major stakeholders are voicing their concerns and opposition to a bill they believe mines the privacy of their users. Apple, for example, issued a statement saying that it did not support CISA: "The trust of our customers means everything to us and we don't believe security should come at the expense of their privacy."

A survey from Fight for the Future shows how also Google, Microsoft, Twitter, Yahoo, Amazon, and Dropbox are between the 23 tech companies wanting to stop CISA. The poll lists several of the world's top technology companies that are firmly against or favor the controversial Cybersecurity Information Sharing Act (CISA). In addition, the Business Software Alliance and the Computer & Communications Industry Association oppose the bill's passage.

The Computer and Communications Industry Association, representing Facebook, Google, Yahoo and several others believes that "Cisa's prescribed mechanism for sharing of cyber threat information does not sufficiently protect users' privacy or appropriately limit the permissible uses of information shared with the government. In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties."

The Business Software Alliance (BSA), representing Apple, HP, Adobe and Dell, among others, seemed pro-CISA in the beginning, stating that legislation is necessary even if a balance must be reached between sharing important information and protecting consumer privacy. After waves of protests shook the United States, they soon released a message explaining their position. "For clarity, BSA does not support any of the three current bills pending before Congress, including the Cybersecurity Information Sharing Act (Cisa)."

Though the CISA bill does not force companies to give any sensitive business data to the government, many believe it allows entities like NSA, FBI, FCC, Dept. of Defense, Commerce, and the Treasury, amongst other "relevant entities," (which remain undefined throughout the bill) unprecedented access to peoples' personal information in real time, mentioned editorial-in-chief Asa Jay of Police State Daily in Cop Block. It's the broad language of the bill that spurs the majority of concerns. In addition, the legal immunity granted to company sharing information seems also to be giving permission to sharing information even beyond the scope of the legislation.

Committee chairperson Senator Richard Burr has argued that the CISA Bill aims to balance security and privacy by protecting "internet users' personal information while enabling new ways for companies and federal agencies to coordinate responses to cyberattacks." Users, however, who are already wary of entrusting their data to government and large companies, due to the many large breaches that occurred in the latest years, are expecting to hear in more details how privacy will be protected and the limits of sharing better defined.

Conclusion

If S.754 were to be 'passed' and then become law, it will attempt to give government and private entities information in "real time" to counter cyber threats; therefore, why shall it be questionable? Skeptics believe that gathered and shared intelligence would extend well beyond data related to threats.

Tech companies fear that the voluntary disclosure might become an obligation to share more and more data with government and are afraid that their customers might begin withdrawing their trust and patronage. All this without the guarantee that the new measures and info-sharing burden will provide real enhancement to existing security measures.

However, with the right balance for facilitating greater information sharing, and thereby enhancing cyber security, with important consumer privacy protection measures, CISA may have a chance to become a law in the near future.

What is certain is that President Obama backs the House companion bill on information sharing of imminent or ongoing cybersecurity threats, H.R. 1560, and has made it clear that he will support federal cyber threat indicators or defensive measures activities, as needed; cybersecurity is a priority.

References

Bennett, C. (2015, October 22). Controversial cyber bill clears first Senate hurdle. Retrieved from http://thehill.com/policy/cybersecurity/257720-controversial-cyber-bill-clears-first-senate-hurdle

Craig, C. (2015, October 23). Nearly everyone dislikes CISA, so Congress will make it law. Retrieved from http://www.infoworld.com/article/2995960/government/cisa-congress-law.html

Godwin, M. (2015, October 26). The Many, Many, Many Flaws of CISA. Retrieved from http://www.slate.com/articles/technology/future_tense/2015/10/stopcisa_the_cybersecurity_information_sharing_act_is_a_disaster.html

GovTrack Insider. (2015, October). Senate takes up "CISA" cybersecurity bill that asks companies to share information with the government. Retrieved from https://medium.com/govtrack-insider/senate-takes-up-cisa-cybersecurity-bill-that-asks-companies-to-share-information-with-the-ddad8980de3e#.dc0df2emn

Jay, A. (2015, October 22). The Future of Internet Freedom to Be Decided By CISA Vote. Retrieved from http://www.copblock.org/144523/the-future-of-internet-freedom-to-be-decided-by-cisa-vote/

Laperruque, J. (2015, July 28). How CISA's Countermeasures Authorization Threatens Security. Retrieved from https://cdt.org/blog/how-cisas-countermeasures-authorization-threatens-security/

Macri, G. (2015, October 27). Senate Passes Divisive Cybersecurity Data Sharing Bill. Retrieved from http://www.insidesources.com/senate-passes-divisive-cybersecurity-data-sharing-bill/

Thielman, S. (2015, October 21). Apple, Google and Twitter among 22 tech companies opposing CISA bill. Retrieved from http://www.theguardian.com/technology/2015/oct/21/apple-google-and-twitter-among-22-tech-companies-opposing-cisa-bill

U.S. Congress. (2015, March 17). S.754 - Cybersecurity Information Sharing Act of 2015. Retrieved from https://www.congress.gov/bill/114th-congress/senate-bill/754

U.S. Department of Homeland Security. (2015, July 23). DHS Leads Effort to Transition Automated Cybersecurity Information Sharing Specifications to International Community. Retrieved from http://www.dhs.gov/blog/2015/07/23/dhs-leads-effort-transition-automated-cybersecurity-information-sharing

Zengerle, P. (2015, October 22). Cyber security bill advances in Senate. Retrieved from http://www.reuters.com/article/2015/10/22/us-usa-cybersecurity-congress-idUSKCN0SG24820151022