Article Image

IPFS News Link • Cyberspace and the New Economy

CISA Security Bill: An F for Security But an A+ for Spying

• http://www.wired.com

When the Senate Intelligence Committee passed the Cybersecurity Information Sharing Act by a vote of 14 to 1, committee chairman Senator Richard Burr argued that it successfully balanced security and privacy. Fifteen new amendments to the bill, he said, were designed to protect internet users' personal information while enabling new ways for companies and federal agencies to coordinate responses to cyberattacks. But critics within the security and privacy communities still have two fundamental problems with the legislation: First, they say, the proposed cybersecurity act won't actually boost security. And second, the "information sharing" it describes sounds more than ever like a backchannel for surveillance. On Tuesday the bill's authors released the full, updated text of the CISA legislation passed last week, and critics say the changes have done little to assuage their fears about wanton sharing of Americans' private data. In fact, legal analysts say the changes actually widen the backdoor leading from private firms to intelligence agencies. "It's a complete failure to strengthen the privacy protections of the bill," says Robyn Greene, a policy lawyer for the Open Technology Institute, which joined a coalition of dozens of non-profits and cybersecurity experts criticizing the bill in an open letter earlier this month. "None of the [privacy-related] points we raised in our coalition letter to the committee was effectively addressed." The central concern of that letter was how the same data sharing meant to bolster cybersecurity for companies and the government opens massive surveillance loopholes. The bill, as worded, lets a private company share with the Department of Homeland Security any information construed as a cybersecurity threat "notwithstanding any other provision of law." That means CISA trumps privacy laws like the Electronic Communication Privacy Act of 1986 and the Privacy Act of 1974, which restrict eavesdropping and sharing of users' communications. And once the DHS obtains the information, it would automatically be shared with the NSA, the Department of Defense (including Cyber Command), and the Office of the Director of National Intelligence.

Unfiltered Oversharing

In a statement posted to his website yesterday, Senator Burr wrote that "Information sharing is purely voluntary and companies can only share cyber-threat information and the government may only use shared data for cybersecurity purposes." But in fact, the bill's data sharing isn't limited to cybersecurity "threat indicators"—warnings of incoming hacker attacks, which is the central data CISA is meant to disseminate among companies and three-letter agencies. OTI's Greene says it also gives companies a mandate to share with the government any data related to imminent terrorist attacks, weapons of mass destruction, or even other information related to violent crimes like robbery and carjacking. The latest update to the bill tacks on yet another kind of information, anything related to impending "serious economic harm." All of those vague terms, Greene argues, widen the pipe of data that companies can send the government, expanding CISA into a surveillance system for the intelligence community and domestic law enforcement.

If information-sharing legislation does not include adequate privacy protections, then...It's a surveillance bill by another name. Senator Ron Wyden

"CISA goes far beyond [cybersecurity], and permits law enforcement to use information it receives for investigations and prosecutions of a wide range of crimes involving any level of physical force," reads the letter from the coalition opposing CISA. "The lack of use limitations creates yet another loophole for law enforcement to conduct backdoor searches on Americans—including searches of digital communications that would otherwise require law enforcement to obtain a warrant based on probable cause. This undermines Fourth Amendment protections and constitutional principles." Even when it comes to cybersecurity data-sharing, privacy advocates say CISA would give companies a legal loophole to mix users' personal information into the "cyber threat indicators" they pass on to federal agencies. The bill does have a provision designed to filter "personally identifiable information" out of that data. But it's far too weak as written, says Julian Sanchez, a research fellow at the CATO institute. He points to the language in the bill that calls on companies to "to assess whether [a] cyber threat indicator contains any information that the entity knows at the time of sharing to be personal information of or identifying a specific person not directly related to a cybersecurity threat and remove such information." That "knows at the time of sharing" phrase, Sanchez argues, means that companies can share personal information they haven't yet proven to be unrelated to a cyber threat. And that's especially impractical given CISA's purpose of spreading initial warnings of a possible threat quickly enough to prevent it, often before it's been fully analyzed. Take the example of a distributed denial of service attack designed to knock a target website offline with a stream of junk data. Sophisticated DDOS attacks often impersonate legitimate traffic, raising the risk that innocent traffic—and identifying IP addresses—would be included in data shared with the government. "At the time of sharing it will be very unclear if it's innocent activity," says Sanchez. "And there's no obligation to do due diligence to figure out if it's innocent or isn't."

thelibertyadvisor.com/declare