Ferocious opposition not enough to stop CISA

28.10.2015
The Cyber Information Security Act of 2015, which passed the Senate this week, is about improving cyber security through the private sector and government sharing threat information. Opponents’ arguments that it is a clandestine surveillance bill were not enough to kill the bill.

October is National Cyber Security Awareness month. But after the U.S. Senate’s approval of the Cybersecurity Information Sharing Act of 2015 (CISA) on Tuesday, the many and increasingly vocal opponents of the bill may be inclined to re-name it “Lack of Cyber Security Awareness” month.

CISA, which got final passage on a 74-21 vote, and which President Obama has indicated he will sign, is touted by advocates as a way to improve cyber security in both the public and private sectors through the sharing of threat information.

But opponents, including privacy and civil liberties advocates, legal and security experts and a lengthening list of some of the biggest names in the tech industry – Apple, Google, Microsoft, Amazon, Twitter and dozens more – say not only will it fail to improve cyber security, but will instead enable more government surveillance of citizens.

Lee Tien, senior staff attorney and Adams Chair for Internet Rights at the Electronic Frontier Foundation (EFF) is one of multiple security experts who say CISA demonstrates that members of Congress don’t understand the problem – that the main cause of rampant vulnerabilities to cyber attacks is not a lack of information sharing, but a lack of basic “security hygiene.”

Advocates of the bill, he said recently, “can’t even begin to connect failures of information sharing to the attacks and data breaches we read about, such as Target, Neiman-Marcus, OPM (federal Office of Personnel Management) or Ashley Madison.”

Opponents blitzed members of the Senate with emails, faxes and petition after an 83-14 vote to end debate last week, and issued a blizzard of press releases to the media, hoping to peel off votes.

In one, Nathan White, senior legislative manager of the digital rights group Access, called CISA, “a surveillance bill masquerading as a cybersecurity bill.”

In another, Evan Greer, campaign director for Fight For The Future (FFTF), said government has already damaged the public trust due to, “deplorable surveillance programs and pathetic cybersecurity.”

CISA, she said, would make that damage irreparable. “Politicians need to decide which side of history they want to be on: The side that fought for freedom or the side that gave it away,” she said.

And a group of 21 professors who teach cyberlaw and cybersecurity, led by Prof. David S. Levine of the Elon University School of law, wrote to the Senate at the last minute on Monday, urging a no vote, arguing that it would not do what its supporters claim – improve cybersecurity – and would do what supporters claim it won’t – allow “backdoor” government surveillance.

“The Freedom of Information Act would be neutralized, while a cornucopia of federal agencies could have access to the public’s heretofore private-held information with little fear that such sharing would ever be known to those whose information was shared,” the letter said, adding that CISA is, “a classic ‘let’s do something’ law.”

The opposition has been building for months, however.

In July, a letter to the president, signed by 40 organizations and 31 individuals, urged him to veto the bill, contending that it violated the administration’s own stated priorities to, “preserve Americans’ privacy, data confidentiality, and civil liberties and recognize the civilian nature of cyberspace.”

Even the federal Department of Homeland Security (DHS) warned in a letter to Sen. Al Franken (D-Minn.) that the bill, “could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.”

But Sen. Richard Burr (R-NC), chairman of the Senate Intelligence Committee and sponsor of CISA, and the Democratic vice-chair, Sen. Dianne Feinstein (D-Calif.), have aggressively pushed back. In a website post aimed at “debunking myths” about CISA, they contend that the bill, “helps protect personal privacy, by taking steps to stop future cyber-attacks before they happen …”

They also dispute accusations that the bill allows government surveillance, calling it “100% false.” They said any sharing is voluntary, the law requires personally identifiable information (PII) to be removed before threat information is shared, and the bill, “does not provide any way for the government to monitor any personal records.”

Last week, Burr and Feinstein issued a press release with supportive statements from a bipartisan list of more than a dozen senators (including themselves).

Feinstein again stressed that sharing is voluntary. “If you don't like the bill, you don't have to do it,” she said.

Greer, in an interview, called those claims “patently untrue,” saying the language of the bill is, “incredibly vague and allows the government to use the data it collects from private companies for a wide range of purposes that have nothing to do with cybersecurity or preventing hacking attacks.”

She added that the “voluntary” part of the bill applies only to the companies involved, not to their customers or Internet users in general. CISA, she said, “creates a dangerous environment where companies have great incentives to share data but no incentive to improve their own networks, since they'll be legally immune in the event of a hack.”

Indeed, four amendments to strengthen privacy provisions were rejected, including one by Sen. Ron Wyden (D-Oregon), that would have required PII to be removed, “to the extent feasible” instead of the default language that requires PII removal only if companies “know” it is not directly related to a cyber threat.

Justin Harvey, CSO of Fidelis Cybersecurity, thinks it may not be that Congress is clueless, but looking for a new way to conduct surveillance in a “post-Snowden world,” referring to former NSA contractor Edward Snowden’s revelations about the agency’s collection of data on American citizens.

“The new way is in the form of a bill that absolves a company from sharing this data through government agencies,” he said. “The NSA wins by getting data, and companies win by being able to provide it while being immune from prosecution.”

And he said Feinstein’s claims that amendments protect personal privacy are misleading because those amendments, “do not govern the usage of ‘threat intelligence’ by agencies like the NSA. 

“In its current form, the bill allows for companies to share threat intelligence indicators with the NSA, the Department of Defense, intelligence agencies and U.S. Cyber Command, without going through DHS,” he said.

Still, CISA does have support from major players in the IT industry. FFTF has a list of them on its website, sardonically calling them “Team NSA,” which includes major telecoms like AT&T, Verizon and T-Mobile, along with other giants like HP, Comcast Xerox, Intel and IBM.

Early this week, the group said Facebook had secretly been lobbying in favor of CISA, even though it is a member of the Computer and Communications Industry Association (CCIA), which publicly opposes it.

A Facebook spokesman denied any lobbying, but declined to say if the company supports or opposes CISA.

Ryan Stolte, co-founder and CTO of Bay Dynamics, a security analytics vendor, is one outspoken supporter. He thinks it is opponents of CISA, not its advocates, who are misunderstanding its provisions.

“It is not geared towards large technology giants that are already behind iron gates,” he said. “It’s the Targets, Home Depots, OPMs and other organizations that have either already been attacked or could be attacked at any moment that need the most help when it comes to cybersecurity.

“They need a community watch program where they all work together, sharing information between each other and the government about outside threats and attackers.”

He compared it to a group of merchants who share information about criminals who tried to rob one or more of them. “If those businesses consistently exchange photographs of criminals who robbed them from week-to-week, then they will all know who they should look out for and not let into their stores. They will have better security,” he said.

Michael Sussmann, a partner at Perkins Cole, is another who said that, on balance, CISA is a good bill. “Information sharing has always been a bedrock principle for good cybersecurity and CISA allows for greater sharing of information among industry and with government.

“It’s hard to predict the degree of benefit from greater abilities to share cyber threat information, but it will be a net positive,” he said. “The bill is not designed for surveillance of anything besides cyber threats and attacks and it contains a number of privacy protections.”

And Paul Kurtz, CEO and co-founder of TruSTAR Technology, said there is broad-based support for the sharing of threat information. “Industry groups representing companies that are often victimized in cyber attacks have made it clear that they believe information sharing is important to their defensive efforts,” he said.

CISA opponents agree that information sharing can have some value. But most agree with Robyn Greene, policy counsel of the New America Foundation’s Open Technology Institute, who has labeled it, “the 10% solution,” since, “90% (of attacks) are defensible with solutions that are already out there.”

The biggest problem, they say, are loopholes that still allow for surveillance.

The vote does not mean CISA is a done deal as written. It still has to go through the conference committee process in the House before it gets to the president’s desk.

Josh Withrow, legislative affairs manager at FreedomWorks, held out some hope that amendments – particularly the Wyden amendment – could make it “a little less awful.” And he said “tweaks” to the bill had addressed some of the privacy deficiencies.

But he said none of them, “fully address the root problem – the perverse incentive created by eliminating liability for misuse of improperly shared personal data. Nor does it do anything to address the core problem of the government and companies not doing enough to protect their data in the first place.”

(www.csoonline.com)

Taylor Armerding