CISA: You have the right to remain spied upon


The Cybersecurity Information Sharing Act (CISA) bill has been passed by an alarmingly large majority in the US Senate. Amazingly, given the amount of high profile and intelligent debate from some of the biggest names in the technology industry, the bill was passed by a vote of 74 to 21. But what is CISA, why does it matter to everyone who uses the Internet and what does the IT security industry have to say about it?

What is CISA anyway?

CISA, better known as the Cybersecurity Information Sharing Act (S. 754) of 2015, is a bill that essentially enables private businesses to share data regarding cyber-threats with the federal government (including the National Security Agency) in order to fight cybercrime, hacking and state sponsored threats.

The data concerned includes, of course, the personal user data of their customers. In order to enable this without breaking other laws, CISA offers protection from lawsuits regarding the sharing of personal data to those companies who participate. In other words, it gives a whole bunch of federal, government, agencies access to private information whilst neutralising the US Freedom of Information Act.

The people whose data is being shared will be none the wiser, as CISA doesn’t require them to be told. Indeed, an amendment that would have required just such a notification to those whose data was being examined in this way was voted down by the Senate.

CISA is, and always was, a surveillance bill by another name. Bear in mind that much of the data we are talking about, from private industry across all sectors, is that which the government has never been allowed access to (officially at least) in any form before CISA. What private business does already have, courtesy of the IT security industry, is access to shared threat data that is already being used to help protect them from attack. The only people that will benefit from CISA, at the end of a very long day, are going to be the government and the federal agencies attached to it.

Who was against it?

No, we don’t mean in terms of those who actually voted (although the US political debate in the run up to Presidential candidate elections is an interesting one, that’s a little outside of our remit here at IT Security Thing), but rather within the tech industry.

Well, amongst the most highly outspoken prior to the Senate vote were Apple, Dropbox, Google, Reddit, Salesforce, Twitter and the Wikimedia Foundation (which was founded by Jimmy Wales of Wikipedia fame) all of whom did their speaking out on the grounds of privacy loss.

However, they were joined right before the vote by a group of highly esteemed tech law professors from the Princeton Centre for Information Technology Policy who wrote an open letter to the Senate explaining that CISA would totally undermine the Freedom of Information Act.

That Edward Snowden joined the chorus of disapproval may not have helped the cause within a Senate hostile to the NSA whistle blower, although you like to imagine they are above such grudge holding. Unfortunately, none of these voices appear to have been heard by The Powers That Be who appear intent on dismantling what freedoms exist on the Internet in the name of the war on terror, whatever that may actually be.

The IT security industry perspective

IT Security Thing does not, cannot, and will not claim to speak for the entire IT security industry; rather, we aim to speak to it and hopefully someone is listening. So it seems right that we give some industry mouthpieces a chance to have their say on CISA now the vote is in. Here’s what a random selection of the great and good think about it.

Former Gartner fellow and Vice President, French Caldwell, who has experience working with the US White House on issues relating to national and cyber security, now acts as chief evangelist at MetricStream, rightly reckons that CISA has become a personal issue for a lot of people.

He says that libertarians are strongly opposed and it’s easy to sympathise with that position. “The libertarian argument is though that, even with the privacy protections, this bill inherently increases government surveillance powers, and how do we know for certain that the government will not abuse the increased surveillance?

“Once the door is opened to this type of information sharing, there may be a risk over time of even more surveillance powers being granted to the government. For instance, might sharing go from voluntary to mandatory over time?

“In talking to those security people on the front lines at banks, electrical utilities, energy companies, and hospitals, I have learned that they are fighting a war. Well financed gangs of criminal hackers are attacking businesses and government agencies daily. And as we’ve seen over the last few years, nation-states are attacking companies to steal intellectual property and probe for weaknesses in critical infrastructure.

The Cybersecurity Information Sharing Act is a US government data grab, nothing less but a whole lot more besides

“In the aggregate, these cyber-attacks amount to cyber war. Is this type of surveillance absolutely necessary? The answer may vary industry to industry. The sharing of information is voluntary. Businesses are not required to do so, but there are clear benefits to doing so. Entities who share will have access to the pooled cyber threat intelligence of the system that is maintained by the Department of Homeland Security.

“Participants can also gain access to classified and unclassified threat analysis from the federal government. There are significant privacy protections in the legislation, and participants also will enjoy liability protections from anti-trust rules.”

Yorgen Edholm, CEO of Accellion appears much less comfortable with CISA, saying “passage of the Cybersecurity Information Sharing Act isn’t just troubling from a privacy perspective, it’s troubling from an economic perspective as well.

“CISA is just the latest in a long list of legislations that are stifling transatlantic information sharing, including the recent invalidation of Safe Harbor agreements. If lawmakers continue to discourage international organisations from doing business with US firms, while also intruding on the privacy rights of citizens, they run the risk of jeopardising the health of the technology sector.”

Meanwhile, Rafael Laguna who is CEO of Open-Xchange, is also on the troubled side of the fence and insists that “aside from its exploitatively vague definitions of ‘cybersecurity threat’ and ‘threat indicators’ the most troubling aspect of the CISA is the degree to which it utterly disregards user privacy in favour of security.

“Information can be shared “notwithstanding any other provision of law”. The stipulation that states that companies may not pass on data that they “know at the time of sharing” to contain sensitive information is simply another get-out clause for companies looking for legal cover from a security breach.

“Gallingly, many cybersecurity firms (who make a business on the back of being experts on the topic!) have rejected the idea that information sharing is an effective way of stopping cyber-attacks. The passing of CISA is another disappointing response to the pressing issue of finding the right balance between privacy and security.”

The IT Security Thing perspective

It’s probably a little late to play the ‘guess what IT Security Thing thinks about CISA’ game now, considering what we’ve already written above. However, let’s get one thing clear: IT Security Thing agrees that there is a need for better communication throughout the public and private sector with the IT security industry, between government agencies and the IT security industry and crucially amongst vendors within the IT security industry itself. Threat intelligence is the key to defending networks and the data that both suits upon and travels through them; sharing that intelligence in a meaningful and considered way is obviously an important factor in hardening overall security posture.

The cyber threat is not going away, and we need to do better in order to defend against it. Real-time threat intelligence sharing makes sense, but only if the rights to privacy of end-users remains firmly at the forefront of any such solution.

The war against cybercrime, much like the war against terror, is all but lost when the laws and processes brought in to fight it end up taking away the rights of the individual. That’s where the IT Security Thing objection to CISA, and any such surveillance act no matter how much it is wrapped up in pretty paper and labelled something else, really sits.

The Senate would have done better to vote on something that requires all businesses, large and small, to start taking security seriously.

By all means let’s share threat information that will actually help in this fight, but only that threat information. Let’s share it within an independently monitored and tightly regulated framework that allows relevant use without stamping all over citizen privacy rights. Let’s not just make it an excuse for a government, and those affiliated agencies with such a bad track record for doing the stomping, to be able to collect data as it sees fit. Let’s not bribe business to share this data by giving them a free pass from legal liabilities that would otherwise prevent them from playing fast and loose with out information.

The Cybersecurity Information Sharing Act is a US government data grab, nothing less but a whole lot more besides. The Senate would have done better to vote on something that requires all businesses, large and small, to start taking security seriously.

To come up with a plan that encourages education and awareness amongst those who handle our data to take the necessary measures to protect it. To make organisations take responsibility for implementing meaningful cyber security, rather than just ticking boxes, and perhaps even introducing financial consequences for those unwilling to do so (a little bit controversial there, but hey).

Instead, and I refer back to that open letter written by the learned professors I mentioned earlier, what we get is something that “…offloads responsibility to a generalized public-private secret information sharing network.” Something that “…creates new law in the wrong places” rather than encouraging “more robust and meaningful private efforts to prevent intrusions into networks and leaks out of them.”

Let’s leave the last word, and those of a delicate disposition may want to stop reading here, to Kate Knibbs from Gizmodo. “The Senate just passed a cybersecurity bill that won’t do shit to prevent hacks. What it will do is help the government spy on its citizens” she said concluding that the CISA was “like a horny zombie looking to skullfuck the nation’s privacy.” I think I may just be a little bit in love.