Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
You may have heard of this bill. It’s making headlines today because some technology companies are raising their opposition to it. As (one of) your experts on all things technology, I’ve taken it upon myself to read the bill and give you my (expert) opinion.
According to the text of the bill, CISA’s purpose is
[t]o improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.
The language of the first part of the bill allows “entities” to share “cyber threat indicators” and “defensive measures” with each other and the federal government. The bill defines these terms as follows:
- Entity means any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof).
- Cyber threat indicator means information that is necessary to describe or identify a whole list of things, such as malicious activity aimed at collecting data to be used in a cyber attack, a security vulnerability, activity aimed at exploiting a vulnerability, “malicious cyber command and control,” (which I think might mean remote code execution, but I’m not sure), or any combination of these things.
- Defensive measure means an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.
It provides immunity from anti-trust laws if two entities are sharing information related to cyber threats in accordance with the bill; and it provides protection from liability when entities are sharing data under the bill.
It requires the federal government to create systems to allow entities to report cyber threats and defensive measures to the Federal government, and requires the government to report on the progress of these systems.
There is language throughout the bill that protects privacy, but it’s generally fairly weak, referring to “existing law,” or simply saying that the sharing processes and systems should not include irrelevant personal data.
Obviously, the bill is long, complex, and wordy. It’s impossible to determine what sort of regulation will come of it, since the bill’s chief action is to direct the Federal government to create systems that allow for threat reporting. Is that a whole new office? Department of Something? It’s hard to say.
As an IT professional focused on cyber security, I like the stated purpose of the bill. Certainly, everyone in this country needs to recognize the existential threat posed by our lack of cyber security. I appreciate the desire to share threats as they’re identified as well as the means for defeating them.
But this won’t do much to accomplish any of that.
First, why did the authors feel the need to make a law that allows entities to share information? Is there some law preventing that now? As the IT manager of my company, am I not allowed to share information about my cyber security program with other companies? If there are laws preventing government agencies from doing so, I suppose this language is necessary. I’m no anti-trust lawyer, but I can’t believe two companies sharing this information would be construed as engaging in activity designed to eliminate competition.
Second, the protections against the transmission of personal information to other entities or the Federal government are inadequate. I don’t think merely saying, “Follow the law where applicable” is enough. I’m not alone in that assessment; many companies have raised objection to the bill for the same reason.
Third, I don’t believe the federal government capable of producing a system that facilitates the timely sharing of this kind of information. This may be due to my ideological or partisan distrust of big, bureaucratic agencies. But the bill itself has about twice as many words as it needs to have; any systems, procedures, departments, or websites that devolve from it are apt to be convoluted, difficult to understand or follow, and filled with language no one understands.
Fourth, there are already plenty of private organizations that do this already. We do not need a law or more bureaucracy to accomplish the goal here. Most private entities will stick with those organizations and steer clear of whatever system the government puts in place.
The government, private organizations, and individuals need to do two things to combat cyber threats. First, they need to raise awareness. We no longer live in a world where cyber threats happen to someone else. Everyone I know has had his or her credit card information stolen, or has had his or her Facebook or e-mail account hacked. Every corporation I’ve dealt with has been the victim of cyber attacks. Second, we need to educate ourselves about how these attacks happen and how to stop them. I’m not talking about that once-a-year security policy training some corporations and government agencies provide; I’m talking about training to understand the threat landscape, so that individuals know when they are being attacked, and what to do about it.
That’s what will make the difference. This bill, not so much.Published in