How CISA Threatens Both Privacy and Cybersecurity
Information sharing just doesn't work like CISA advocates imagine.
This May, Congress is expected to come together on a bill to protect private entities that secretly share user data with federal agencies. Privacy advocates say the Cybersecurity Information Sharing Act (CISA) threatens Americans' civil liberties by sanctioning yet another avenue for government surveillance. But there's another big problem as well: CISA is unlikely to meaningfully prevent cyber-attacks as proponents claim, and could ultimately weaken cybersecurity.
The stated premise behind laws like CISA (and the defeated 2013 Cyber Intelligence Sharing and Protection Act) is that cyber-attacks can be prevented if private network operators are able to quickly report and disseminate information about new threats and vulnerabilities. Proponents envision a seamless, national cybersecurity-threat system to roust the hackers, coordinated by the federal government.
Existing private and public information sharing initiatives do not go far enough, CISA advocates claim, because private companies fear lawsuits from customers who may not agree that their security is improved when spooks can surreptitiously search their personal data. To overcome this purported problem, CISA would extend legal immunity to corporations that choose to grant the Department of Defense (DOD), Department of Homeland Security (DHS), and Director of National Intelligence (DNI) access to customer data considered relevant to a "cybersecurity threat." This data could then be shared or concealed at federal agencies' discretion.
But CISA's legal remedies far exceed proponents' justifying foundations. Section 5(d) of the bill text, which governs how federal agencies can use information gleaned from the private sector, grants the government authority to "disclose, retain, and use" any data extracted under CISA for such disparate purposes as identifying terrorists, responding to threats of bodily or economic harm, preventing child exploitation, or prosecuting normal criminal offenses. Including such unrelated authorizations could distract from a primary cybersecurity mission and create dangerous incentives for officials to procure information for criminal investigations under false premises.
Ironically, we may be partially inoculated against such potential abuses by the federal government's lack of technological prowess. The sophisticated coordination required to pull off a CISA-style information-sharing network is easier said than done, as previous failed experiments of this kind corroborate. The federal government has a longstanding inability to effectively share information even with itself; at least 20 separate information-sharing offices exist, with little coordination (or even knowledge) of each other's ventures. Somehow, this bureaucratic cacophony did not prevent the 1,012 percent increase in reported federal information security incidents since 2006.
The feds' poor history of internal information-security provision renders it an especially poor candidate to manage the sensitive data of an entire nation. Alarmingly, almost 40 percent of all security breaches reported over the past six years involved the personally identifiable information of personnel and civilians. The agencies that would be most empowered under CISA reported some particularly boneheaded bloopers. DOJ employees downloaded malicious software from sketchy websites onto agency equipment 182 times last year. A reported 1,816 DHS computers simply vanished without a trace. The DOD had a nasty malware problem as well, with 370 incidents reported during fiscal-year 2014. Entrusting reams of juicy private data in the clumsy care of these three stooges of information security could create an irresistible target for lulz-hungry hackers.
Sophisticated software tools have not helped government agencies, either. In 2003, the DHS created the National Cybersecurity Protection System to detect and analyze network intrusions, share information with relevant offices, and prevent and repel network breaches for all civilian federal agencies. Its vaunted three-part EINSTEIN software suite, designed to automate federal network intrusion monitoring and prevention, turned out to be an expensive dud, too technologically crude to handle the complex central identification and communication efforts necessary. And there may never be a powerful enough EINSTEIN to adequately coordinate and respond to the massive amounts of private data that would be collected under CISA.
Even if we could remove CISA's sketchy non-cybersecurity provisions and turn the federal government into a godly font of efficiency, CISA would fail to improve cybersecurity because information sharing just doesn't work like CISA advocates imagine it does.
As security researcher Robert Graham points out, these kinds of programs devolve into a kind of overwhelming "false positive sharing system." Seasoned hackers know how to easily evade detection, so mostly false alarms are triggered. Innocent parties' online activities are thus more likely to be hoovered up and analyzed than capable cybercriminals' signatures. And by the time analysts can sort through the terabytes, they may find that sharing that information can do little to prevent an attack anyway. One survey of information security professionals found 87 percent did not believe CISA will significantly reduce security breaches.
Insufficient "information sharing" is only one small issue among many larger problems plaguing network security. Industry studies find that external attacks only constitute 37 percent of reported root causes; system glitches and human error respectively make up 29 percent and 35 percent of the remainder. These kinds of vulnerabilities can be patched through user education, strong authentication, and proactive system testing and improvement—not backwards-looking information sharing.
CISA's sole emphasis on this small component of network security could instill a dangerous complacency among those who feel following the feds' lead absolves the need to proactively anticipate threats and continually improve security practices. If enough people believe that their cybersecurity is "taken care of" because the government will alert them to any threats, CISA will serve to ultimately weaken cybersecurity by causing users and operators to neglect critical factors arguably more imperative for robust cybersecurity.
CISA actually bucks the usual liberty/security trade-off, because it threatens our civil liberties without meaningfully improving cybersecurity—and could potentially even weaken it. We should dump this Trojan and focus on developing bottom-up, collaborative security practices that will actually work.