CISA Paving The Way

Mar 2, 2016

I was recently reminded of the old proverb “the road to hell is paved with good intentions” when the controversial Cybersecurity Information Sharing Act (CISA) was passed quietly in the night as an amendment slipped into the trillion dollar omnibus bill that prevented our federal government from running out of money and shutting down.

While CISA's intentions are good, its practical implementation will probably go to hell in a handbasket.

The stated purpose of CISA is somewhat vague: “To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.”

Specifically, the bill “requires the Director of National Intelligence and the Departments of Homeland Security (DHS), Defense, and Justice to develop procedures to share cybersecurity threat information with private entities, nonfederal government agencies, state, tribal, and local governments, the public, and entities under threats.”

Additionally, CISA creates the legal framework for private companies to share information regarding cybersecurity threats with the government, including liability protections for “entities that voluntarily share” that information.

Conceptually, CISA is a good idea because cybersecurity is a big problem and the bad guys seem to be winning. Almost every month, we read in the news of companies being hacked and data being stolen: your passwords, your credit card numbers, your identity.

Government agencies get hacked too. The biggest data breach of 2015 was of the Office of Personnel Management’s (OPM) database of government employees and contractors with security clearances. More than 4 million records of individuals with security clearances (including yours truly) were exfiltrated from OPM’s systems.

Someone out there (probably a nation-state actor such as China or Russia) now has a lot of personal information about me and millions of others who went through the security clearance process, which involves extensive background investigations. Would CISA have prevented the OPM data breach? Nope. Would OPM following best security practices have prevented it? Probably.

Information sharing between private tech companies and the government isn’t what’s going to better protect us. Improved information security best-practices is what’s going to accomplish that.

It’s not so much what CISA is on paper, but what it could become in practice that is the issue. Opponents to CISA, such as the Electronic Freedom Foundation (EFF), claim that the bill will not improve cybersecurity; rather, it will lead to further erosion of privacy and pave the way for greater government surveillance.

According to the EFF, “Cybersecurity bills aim to facilitate information sharing between companies and the government, but their broad immunity clauses for companies, vague definitions, and aggressive spying powers make them secret surveillance bills.”

CISA has also been opposed by the Business Software Alliance (BSA) and the Computer & Communications Industry Association (CCIA), which are made of major tech companies such as Amazon, Apple, Facebook, Google, IBM, and Microsoft.

Additionally, some senators have announced opposition to CISA, including Ron Wyden, Rand Paul, and Bernie Sanders.

“Americans deserve policies that protect both their security and their liberty,” wrote Senator Wyden in a press statement. “This bill fails on both counts.”

Yes Mr. Wyden, we Americans do deserve that. And no, CISA will not deliver either security or liberty. In fact, it might accomplish absolutely nothing.

According to cybersecurity expert Carter Schoenberg, “CISA’s framework has great intentions but will likely be an empty piece of legislation.”

Having read through the entire text of CISA, I’m inclined to agree with Schoenberg. While CISA’s intentions are good, its practical implementation will probably go to hell in a handbasket. Even with liability protections in place, I don’t think tech companies are going to be eager to share cybersecurity threat information with government agencies unless that information is directly related to a data breach and they’re offering it to the FBI for investigation.

Many of these tech companies are still trying to polish their tarnished PR image after the Snowden files exposed their complicity in massive clandestine surveillance programs such as the NSA’s PRISM program, which collected data on millions of Americans. Among those participating companies were Apple, Facebook, Google, and Microsoft. I find it ironic that some of these same companies now oppose CISA as though they had suddenly become bastions of protecting your privacy.

But maybe that doesn’t matter because privacy is dead. Back in 1999 as the World Wide Web was taking off, Sun Microsystems’ CEO Scott McNealy, famously said, “You have zero privacy anyway. Get over it.” The greatest threat to our privacy isn’t CISA, or the government, or technology companies. It’s ourselves.

“We are living in the golden age of surveillance,” wrote security expert and privacy advocate Bruce Schneier in his recent book Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. “We cooperate with corporate surveillance because it promises us convenience, and we submit to government surveillance because it promises us protection. The result is a mass surveillance society of our own making. But have we given up more than we’ve gained?”

That’s a rhetorical question for Schneier, who believes that mass surveillance is dangerous because it enables discrimination based on class, race, religion, and political positions. According to Schneier, “It [mass surveillance] makes us less safe. It makes us less free. The rules we had established to protect us from these dangers under earlier technological regimes are now woefully insufficient; they are not working. We need to fix that, and we need to do it very soon.”

While CISA itself doesn’t appear to have much teeth, it encourages further sharing of information between private tech companies, such as Google and Facebook that gather massive amounts of data on each of us, with government agencies such as the FBI and the NSA. On the surface, CISA’s intentions are good, but where those intentions ultimately take us to might end up being someplace that is very hot and uncomfortable.