Ricochet is the best place on the internet to discuss the issues of the day, either through commenting on posts or writing your own for our active and dynamic community in a fully moderated environment. In addition, the Ricochet Audio Network offers over 50 original podcasts with new episodes released every day.
Cybersecurity Information Sharing Act of 2015
You may have heard of this bill. It’s making headlines today because some technology companies are raising their opposition to it. As (one of) your experts on all things technology, I’ve taken it upon myself to read the bill and give you my (expert) opinion.
According to the text of the bill, CISA’s purpose is
[t]o improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.
The language of the first part of the bill allows “entities” to share “cyber threat indicators” and “defensive measures” with each other and the federal government. The bill defines these terms as follows:
- Entity means any private entity, non-Federal government agency or department, or State, tribal, or local government (including a political subdivision, department, or component thereof).
- Cyber threat indicator means information that is necessary to describe or identify a whole list of things, such as malicious activity aimed at collecting data to be used in a cyber attack, a security vulnerability, activity aimed at exploiting a vulnerability, “malicious cyber command and control,” (which I think might mean remote code execution, but I’m not sure), or any combination of these things.
- Defensive measure means an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting an information system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.
It provides immunity from anti-trust laws if two entities are sharing information related to cyber threats in accordance with the bill; and it provides protection from liability when entities are sharing data under the bill.
It requires the federal government to create systems to allow entities to report cyber threats and defensive measures to the Federal government, and requires the government to report on the progress of these systems.
There is language throughout the bill that protects privacy, but it’s generally fairly weak, referring to “existing law,” or simply saying that the sharing processes and systems should not include irrelevant personal data.
Obviously, the bill is long, complex, and wordy. It’s impossible to determine what sort of regulation will come of it, since the bill’s chief action is to direct the Federal government to create systems that allow for threat reporting. Is that a whole new office? Department of Something? It’s hard to say.
As an IT professional focused on cyber security, I like the stated purpose of the bill. Certainly, everyone in this country needs to recognize the existential threat posed by our lack of cyber security. I appreciate the desire to share threats as they’re identified as well as the means for defeating them.
But this won’t do much to accomplish any of that.
First, why did the authors feel the need to make a law that allows entities to share information? Is there some law preventing that now? As the IT manager of my company, am I not allowed to share information about my cyber security program with other companies? If there are laws preventing government agencies from doing so, I suppose this language is necessary. I’m no anti-trust lawyer, but I can’t believe two companies sharing this information would be construed as engaging in activity designed to eliminate competition.
Second, the protections against the transmission of personal information to other entities or the Federal government are inadequate. I don’t think merely saying, “Follow the law where applicable” is enough. I’m not alone in that assessment; many companies have raised objection to the bill for the same reason.
Third, I don’t believe the federal government capable of producing a system that facilitates the timely sharing of this kind of information. This may be due to my ideological or partisan distrust of big, bureaucratic agencies. But the bill itself has about twice as many words as it needs to have; any systems, procedures, departments, or websites that devolve from it are apt to be convoluted, difficult to understand or follow, and filled with language no one understands.
Fourth, there are already plenty of private organizations that do this already. We do not need a law or more bureaucracy to accomplish the goal here. Most private entities will stick with those organizations and steer clear of whatever system the government puts in place.
The government, private organizations, and individuals need to do two things to combat cyber threats. First, they need to raise awareness. We no longer live in a world where cyber threats happen to someone else. Everyone I know has had his or her credit card information stolen, or has had his or her Facebook or e-mail account hacked. Every corporation I’ve dealt with has been the victim of cyber attacks. Second, we need to educate ourselves about how these attacks happen and how to stop them. I’m not talking about that once-a-year security policy training some corporations and government agencies provide; I’m talking about training to understand the threat landscape, so that individuals know when they are being attacked, and what to do about it.
That’s what will make the difference. This bill, not so much.
Published in Domestic Policy, General, Law, Science & Technology
Fifth, federal agencies have themselves been repeatedly hacked and Secretary Clinton proved that they don’t even follow their own legally mandated security policies at all times. Why consolidate the sensitive information of American citizens and corporations into a vulnerable target for hackers?
That may not be a reason why the bill won’t work, but it certainly is an excellent point.
Plus: government employees are always failing security tests
The language allowing entities to share information is most likely aimed at complying with requirements of anti-trust law – it may not do any more than announce the intent of Congress that entities that share information related to cyber-security will not be found to run afoul of the prohibitions on information sharing that exist in anti-trust laws.
That’s fine. There is a sentence or two in the bill that does exactly that. So why is this required:
Why do we need language in this bill that says a private entity may monitor their own network? And why can’t I get this text to left justify? (it left justified itself after posting, which happens to us all)
“Cyber threat indicator” I think I’m just going to roll that one around my mouth for a while.
As far as it goes though, there is a certain problem with doing security research under current law. As in, a lot of it is technically illegal. It sounds as if the feds may be trying to ameliorate that, but again:
That’s enough for me to oppose the bill. The last thing we need is another agency writing laws for us.
Please elaborate.
Aaron is very good at making excellent points.
What’s the thing? The Computer Fraud and Abuse Act? Something like that. Or possibly the Digital Millenium Copyright Act.
It is illegal to circumvent the digital protections that a publisher has put in software. This doesn’t prevent them from testing their own code for vulnerabilities, but it does mean that anyone else trying to do so is in a dicey position.
There are several companies that offer bug bounty programs; if you find a vulnerability in their product they will pay you for it. These companies aren’t very likely to sue you for breaking into their software when you do, and I don’t think the feds are either, but the possibility exists, which ought to make the researcher nervous.
Ok. Well I would argue that most of the work being done to identify and stop cyber attacks, at least the work that doesn’t involve user training and education, has to do with monitoring network traffic, not reverse engineering software.