Report Shows Pretext for Passing CISA Was All Wrong

As the adage goes, politicians can simply never let a good crisis go to waste. So it was no big surprise when formerly infosec-apathetic lawmakers seized upon last year's dramatic Office of Personnel Management (OPM) hack to bolster the languishing and controversial Cybersecurity Information Sharing Act (CISA). But contrary to the pro-CISA crowd's claims, "insufficient sharing" of our personal data by corporations and government agencies had nothing to do with the failure at OPM—and a new joint report from the FBI and the Department of Homeland Security (DHS) makes this clear. No, according to these agencies, we can blame the OPM failure on good, old-fashioned bureaucratic incompetence.

Sean Lyngaas of FCW obtained the report, which identifies a "lack of strong IT policies" as a key factor that led to the breach and still leaves OPM at a "high risk for future intrusions." And what do DHS and FBI believe would help? Not CISA-style information sharing but better identity-management controls and data-analysis tools.

Overall, the report lends more support to what information-security experts have held throughout the CISA debates: organizations do not get hacked for a lack of government data extraction.

To really understand how the government's own cybersecurity failures were used as a pretext to grab more surveillance power over its citizens, we need to first understand where these ideas came from and why they failed. CISA is only the most recent in a long line of attempted government collusion with industry to remove liability from corporations that share private data with federal agencies. In 2011, the legislature introduced a series of bills that would have greatly increased the government's control over the Internet, such as the intellectual property-related "Stop Online Privacy Act" (SOPA) and the forerunner to CISA, known as the "Cyber Intelligence Sharing and Protection Act" (CISPA). These proposals provoked a sharp negative response from Internet communities, many of whom enacted a series of high-profile "black outs" of popular websites in protest.

Both bills were strongly condemned for the inexcusable powers over Internet search, access, and data they would have granted the government. But SOPA enjoyed stronger opposition from much of the technology sector because it would have imposed burdens on corporations to comply with intellectual-property procedures. CISPA, on the other hand, would have actually granted privileges to companies who participated. For this reason, the liability protection at the heart of CISPA (and later, CISA) had much more legislative staying power.

Both CISPA and CISA were premised on the idea that cyberattacks happen because the government cannot warn organizations about impending threats in time for IT professionals to properly protect their systems. Supporters theorized that corporations might be scared to share critical information with government agencies because they feared lawsuits from customers whose data might be improperly shared. Therefore, CISA proponents argued, the government should prevent American citizens from being allowed to sue corporations for mishandling data when sharing it with the federal government. Once data could be more freely shared between corporations and federal agencies, the thinking went, our nation's cybersecurity would be more secure.

If this logic sounds screwy to you, you're not alone. Most information security experts dispute that increasing "information sharing" between government and private bodies will significantly reduce security breaches in the way that CISA advocates claim. Numerous information-sharing initiatives already exist within the federal government alone, in addition to the multiple non-profit information sharing and analysis centers (ISACs) that coordinate multilevel cyberthreat sharing within specific industries.

Most damaging to this concept, however, is the federal government's own terrible cybersecurity track record. The OPM is not the only agency whose information systems are constantly thwarted by their own lack of good data-hygiene and responsible precautions—in fact, it's harder to find an agency that isn't constantly succumbing to boneheaded mistakes and internal protocol violations. Accordingly, federal info-security failures have increased by an astounding 1,169 percent since 2006, despite spending billions of tax dollars on identification and notification systems over the same time. If the government cannot even warn itself in time to prevent breaches, why should we expect them to become magically more capable when tasked with administering the entire nation's cybersecurity?

Furthermore, if CISA was really about cybersecurity, why did the bill's text explicitly authorize agencies to store and access any data collected through cyberthreat sharing to prosecute wholly unrelated activities like terrorism, violent crime, and intellectual property violations?

In reality, CISPA and CISA were not about cybersecurity at all. Rather, these "information sharing" proposals were a way to secretly expand government surveillance along dimensions rivaled by only the PATRIOT Act while rewarding loyal corporate collaborators with legal protections. And new slides leaked by Edward Snowden in 2015 provide more behind-the-scenes context: CISA conveniently provides legislative cover for specific extralegal powers that the NSA and FBI was pursuing in secret for years.

Yet without a national tragedy to drum up support for CISA, the intelligence community was facing an uphill battle against privacy and security experts who publicly lambasted their attempts. That is, until the OPM hack last June, and to a lesser extent the Sony hack in 2014. These incidents provided just the chaotic narrative environment that policymakers needed to push this bad policy on the American public and through Congress.

CISA sponsor and Intelligence Committee Chairman Sen. Richard Burr (R-N.C.) was quick to invoke the OPM hack as an imperative justification for his surveillance bill in cybersecurity clothing: "Not only does CISA propose a solution to help address [threats like the OPM hack], it does so in a way that works to ensure the personal privacy of all Americans, " he said. Unsurprisingly, the people at the American Civil Liberties Union and Electronic Frontier Foundation who make it their business to ensure that Americans' privacy online is actually protected strongly disputed Burr's characterization.

After trying and failing to push expanded surveillance on Americans through CISA for half a decade, Congress finally succeeded this winter by sneaking "information sharing" into law through the omnibus bill. The saga of CISA is an excellent case study for the unfortunate reality of legislative priorities: if the intelligence community wants something, they'll usually get it, no matter how convoluted the rationale and tenuous the connection to stated aims.