While the House of Representatives garnered all of the media attention last week — with the GOP’s pursuit of Paul Ryan and the Benghazi committee’s pursuit of Hillary Clinton — Senators just across the Capitol rotunda were making decisions that could have much deeper implications for United States security and the privacy of millions of less famous Americans. A bill known as CISA — the Cybersecurity Information Sharing Act — cleared its cloture vote on Oct. 22 and, with the qualified support of the White House, is headed for floor debate and an expected final vote late Tuesday.
The legislation, according to proponents, is a comprehensive step toward securing private data networks against malicious hackers — a means by which companies can share early “cyberthreat indicators” with the Department of Homeland Security. But according to CISA’s critics (and there are many), the bill represents a solution to a problem that doesn’t exist. They sat it’s an ineffective bulwark against cyberthreats and a potentially grave threat to the privacy rights of U.S. citizens.
CISA is sponsored by North Carolina Republican Richard Burr, chairman of the Senate Select Committee on Intelligence (SSCI), and Dianne Feinstein of California, the committee’s ranking Democrat. And therein lies the first clue to what this bill is about.
"This is coming out of the Senate Intelligence Committee, not the Commerce or Homeland Security Committees," said Eli Dourado, who runs the tech policy program at George Mason University’s Mercatus Center.
Dourado explained to Vox that if this were primarily an issue of protecting private U.S. electronic infrastructure from hacks, one would expect the latter two committees to take the lead. While there are elements of CISA that are generous to private-sector business interests, he said, "I don't hear very much arguing outside of the Intelligence Committee that we need this for cybersecurity."
But you will hear plenty of arguments about why the U.S. does not need CISA — and why private citizens should be very wary of the legislation.
No real problem
CISA advocates say that U.S. privacy protections inhibit corporations from sharing crucial data that could help other businesses or the federal government catch hackers before they do harm. The fear now, according to proponents, is that sharing this data opens companies to possible legal action should they inadvertently share personal data. They argue that if government agencies had access to information about suspicious activity on private networks, the federal government could issue warnings to network administrators. To facilitate those warnings, corporations need legal protections from investigations and lawsuits.
While the business community rarely says “no” to immunity, Internet watchdogs don’t see the need.
“It's far from clear that [current] privacy laws are actually hampering efforts to beef up the Internet's defenses,” wrote Vox’s Timothy B. Lee. Companies already share a good deal of information, he said, and that info is already “carefully curated by security experts.”
“These experts write reports that succinctly provide technical details about an emerging threat, without including any users' personal information,” he said.
CISA, say critics, would create a problem, since the amount of data the bill proposes sharing makes it impossible for humans to do the filtering. It would require the use of imperfect automated algorithms instead, thus upping the odds of distributing personal data.
Doesn’t prevent attacks
“As Richard Burr has admitted in recent days, CISA won't do what it was originally sold as doing: preventing cyberattacks on the government or private companies,” said Marcy Wheeler, intelligence blogger and a longtime chronicler of cybersecurity issues. Wheeler told Al Jazeera that Burr now claims it would only “limit the damage” from such attacks.
Many large U.S. companies already practice the kind of broad data collection and “cybersecurity information sharing” that CISA prescribes — but to little effect. A CISA-style program “rarely allows them to prevent attacks as the CISA bill promises,” wrote information security expert Robert Graham earlier this year.
In fact, the Department of Homeland Security already has a cyberthreat alert system. Compiled by the department’s Computer Emergency Readiness Team, DHS-CERT, as it is called, monitors public and private network threats and provides daily updates to anyone who wants to subscribe.
“None of CISA’s proponents have explained how DHS-CERT is so deficient in its mission that yet another ‘information portal’ needs to be created,” wrote former CIA analyst Patrick Eddington for Just Security, a national security forum based at the Center for Human Rights and Global Justice at New York University School of Law.
“In other words,” Graham wrote, “we’ve tried the CISA experiment, and we know it doesn’t really work.”
Eddington says that CISA does not address the kind of vulnerabilities that led to several high profile hacks of government networks. Citing research from the Mercatus Center, he notes that of the nearly 68,000 “information security incidents” last year, none were “traced to a lack of information sharing.”
That number does not include the data breach at the Office of Personnel Management, discovered in April 2015, in which hackers accessed personally identifiable information — including Social Security numbers and home addresses — on an estimated 21.5 million current, former and potential U.S. government employees. That hack also exploited a vulnerability that would not have been caught by CISA protocols. Eddington argues that the sharing of personal data between private and government networks would potentially “make that vulnerability worse.”
What CISA would do, according to Eddington and other critics, is enhance U.S. intelligence agencies’ opportunity to spy on U.S. citizens.
The proposed law puts DHS in charge of these new data collection powers. But it also gives Homeland Security the power to share that data with "any Federal agency or department, component, officer, employee, or agent of the Federal Government." That could include law enforcement bodies like the FBI and ATF, intelligence agencies like the CIA and NSA, or even the U.S. Department of Agriculture if DHS thought it necessary. It could even include private contractors hired by federal agencies.
And the measure provides less scrutiny than is currently exercised over such controversial programs as the warrantless bulk data collection that was exposed by Edward Snowden in 2013. CISA would, according to Wheeler, “create a vast amount of new spying that could include many Americans, with no court oversight and few of the protections that even NSA has.”
Threat to privacy
As noted, the legislation permits the sharing of “cyberthreat indicators” between the private sector and DHS, but that term is open to interpretation. Along with “malicious reconnaissance” (like malware that records passwords), computer code and security vulnerabilities, CISA also allows sharing of information about “actual or potential” consequences of threats, and any other data deemed applicable to cyberthreats, unless that exchange is prohibited under existing law.
While the bill does instruct the government to protect the confidentiality of personal data “to the greatest extent practicable,” the definition of what is “practicable” will only be determined after CISA becomes law and government agencies begin drafting specific guidelines.
Sen. Ron Wyden, an Oregon Democrat and the only member of the Senate intelligence committee to vote against CISA when it was reported out of committee in the spring, made his privacy concerns clear. “If information-sharing legislation does not include adequate privacy protections,” he wrote in a statement at the time, “then that’s not a cybersecurity bill — it’s a surveillance bill by another name.”
Civil liberties watchdogs aren't the only ones troubled by this process. The Computer and Communications Industry Association (CCIA), a tech industry trade group that represents such internet giants as eBay, Facebook and Yahoo, said in a statement that “CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government."
While many in the information technology sector have expressed grave reservations about CISA, other business interests have embraced it — and the reason is the immunity provision. The U.S. Chamber of Commerce specifically lists “limited liability [and] disclosure” in their published talking points on reasons to support CISA.
CISA “would give sweeping corporate immunity for companies sharing information” with the government, according the Sunlight Foundation, a nonpartisan transparency watchdog. Under liability provisions in the act, should a participating business expose private data, either through sharing or through network vulnerabilities, it could be shielded from disclosing the breach and from any lawsuits by affected consumers.
Wheeler sees it in more extreme terms: “Immunizing corporations may make it harder for the government to push companies to improve their security.” She noted that General Motors came out in favor of CISA in August, the day after hackers revealed their ability to breech Internet-enabled onboard automotive systems, specifically referencing some GM products. The legislation would “insulate corporations from some of the risks of cyberattack,” Wheeler told Al Jazeera with a hint of sarcasm, “including [the risk] regulators like FTC [the Federal Trade Commission] or NHTSA [the National Highway Traffic and Safety Administration] might take action against them because they don't do enough to protect their customers.”
CISA, Wheeler said, “fits into the increasingly common theory that there is no problem that more corporate immunity can't fix.”
While CISA co-sponsor Feinstein claimed during a Senate floor speech earlier this year that 56 corporations supported the legislation, much can be learned about the purpose of the bill from those allied against it.
“[T]wo leading technology industry trade groups — representing giants like Google, Apple, and Microsoft that are targeted by hackers more than anyone else on the Internet — oppose the bill currently being considered in the Senate,” wrote Vox’s Lee last week. Add to them privacy advocates — the ACLU, the Electronic Frontier Foundation, Fight for the Future, and the New America Foundation, for example — and security experts, who argue that CISA does little to address any of the pressing cyberthreats while failing to adequately guard against the unsecured distribution of sensitive personal data. Additionally, it seems that the groups that have the largest stake in enhanced cybersecurity have the dimmest view of CISA.
“Members of Congress should pay attention: nobody wants this bill,” wrote Evan Greer, campaign director at CISA opponents Fight for the Future. “Not the public, not security experts, and not even the industry it’s supposed to protect.”
“CISA isn’t so much a cybersecurity bill as it is an Internet domestic spying bill,” wrote Wheeler last week. Still, she predicted, come Tuesday night’s vote, CISA will pass with “flying colors.”