Controversial new cybersecurity law may compromise privacy
Critics argue that CISA is more about surveillance than security
The recent, highly publicized cyberattacks on Sony and the U.S. government’s Office of Personnel Management exposed sensitive data about millions of people. In Congress, lawmakers responded by approving the Cybersecurity Information Sharing Act, or CISA. But some critics say the bill, which President Obama signed into law on Dec. 18, not only would have done nothing to prevent those attacks, but also erodes personal privacy.
CISA encourages companies to share digital signatures — unique codes that track the origins of electronic communications, including the sender’s IP address — associated with possible security threats, both with each other and with the U.S. government. Supporters say this information sharing makes it easier for companies and the government to quickly get out ahead of security threats by alerting each other to the origin and nature of potential breaches. Opposition to the new law has come from technology companies, along with advocacy groups, such as the American Civil Liberties Union, that are worried about protecting privacy.
Critics say CISA’s focus on digital signatures is invasive and fails to include more current and relevant threats. Some even question whether the slow-moving machinery of lawmaking can ever keep up with the breakneck pace of the online world, where entirely new kinds of security threats regularly arise in an instant, seemingly out of nowhere.
“It was the intention of our founding fathers that policy should be slow because it prevents tyranny,” says Elissa Shevinsky, head of product at Brave, a company that focuses on easy-to-use privacy software. “If policy were fast, we’d be in a surveillance state. We’d have CISA already. It’s on us to fight hackers at the pace of hacking.” Private cybersecurity companies like hers, she adds, are better positioned to handle these security issues.
Privacy concerns are a key issue for critics like Shevinsky, who say CISA erodes privacy rights by going too far in encouraging companies to share private information with the U.S. government. An important element of the bill would protect companies from liability if they shared such data. According to Shevinsky, that would encourage companies to flout their own privacy policies by sharing their customers’ personal information. Before the bill passed, federal agencies could penalize companies for betraying their privacy policies, she says. CISA in its current form would not require companies to scrub customers’ identifying information from the data before sending it to other companies or the government. “CISA makes it so they can [share private information] in broad daylight,” Shevinsky says.
While CIA Director John Brennan, who publicly supports CISA, has mentioned the privacy issue, he has failed to address specific concerns. “The benefits of improved information sharing can be achieved in a manner that protects privacy and civil liberties,” he said in a speech in November. But his office declined to comment further.
The White House endorsed the bill even before it passed the Senate, so it was no surprise that the president signed the must-pass federal budget bill to which the House of Representatives added CISA in December. And while the White House previously identified the need for more robust privacy protection, the bill passed with no improvements to CISA’s privacy provisions. “One of the main things we were searching for was for companies to scrub personal data, and that did not make it into the bill,” says Mark Jaycox, a legislative analyst at Electronic Frontier Foundation, a nonprofit organization whose stated mission is defending civil liberties in the digital world.
But privacy is only the beginning of critics’ objections to CISA. The new law is supposed to make it easier to collect and share data on security threats, but that’s not where the bottleneck is, says Matt Wollenweber, an independent security researcher who formerly worked as principal security engineer at George Washington University. “Enterprises already share threat intelligence through a variety of tools and organizations,” says Wollenweber. The U.S. Computer Emergency Readiness Team and the FBI receive more cybersecurity data than they can effectively use because they lack the capacity to analyze it all, he argues.
More data might even make the problem worse, Shevinsky says. “The government may be taking on too much data and won’t be able to process it.” Insufficient data is not the weak link right now, she says.
To bolster their case against CISA, cybersecurity professionals point to two of the most high-profile security breaches of the last two years: the Sony hack and the breach at the federal government’s personnel office, which gave hackers access to private information on an estimated 21.5 million federal employees.
“Given that the principal problem is making operational use of the flood of cyber threat data, it’s hard to accept” that CISA could have prevented either hack, Wollenweber argues.
Sen. Ron Wyden of Oregon was one of two members of the Senate Intelligence Committee, which put forward the bill, to vote against CISA when it passed the Senate in October. He agrees with Wollenweber’s criticism. “This bill will do little to protect Americans from sophisticated hacks,” he says in a statement.
But some industry leaders argue that CISA would have helped. “It is highly likely that more timely exchange of threat information between the U.S. government and among private companies would have mitigated the extent of cyber attack activity which occurred in the past,” asserts David Burg, a top cybersecurity manager at the global consulting firm PricewaterhouseCoopers. CISA allows government agencies to move much more quickly to alert companies that they have been hacked, which Burg says has been a bottleneck in the past. “Once the bad guys are in, they expand their footprint, evaluate the environment and take more information out without being detected,” he says. “The sooner you know you’re dealing with a [breach], the sooner you can deal with it.”
Burg supports CISA as an important tool for preventing future attacks, and so does the Protecting America’s Cyber Networks Coalition, a collection of 51 industry groups, including the U.S. Chamber of Commerce and the American Petroleum Institute.
Critics like Wollenweber argue that it should be possible to increase cybersecurity without further eroding personal privacy. He advocates for private networks where businesses can share information on cyber attacks. “As data is more effectively aggregated and cleaned by reliable systems, businesses can more easily integrate those feeds into their defense and monitoring systems,” he says. Simply sharing threat data will not be an end-all solution, he acknowledges. But this type of information sharing will allow cybersecurity experts to block new threats more quickly than they currently can.
Jaycox says these private threat-sharing networks work. “We’ve supported this approach previous to CISA since the companies tended to be very careful about only collecting technical data and the necessary information.” He emphasizes that tech companies came out against CISA by saying that it would sacrifice consumers’ privacy and wouldn’t help prevent data breaches. “It’s unfortunate that Congress didn’t listen to the experts on the issue,” he says.
Jaycox points to government agencies’ own reports on security breaches for evidence that more data collection and information sharing are not the best solutions. “When you look at those breaches, they weren’t due to lack of information sharing,” he says. He cites servers not updated properly, outdated systems and uneducated end users as the major weaknesses exploited by hackers. “There’s a lot of low-hanging fruit that the government isn’t targeting.”
*Corrections, January 25, 2016. The following errors have been corrected from the originally published version of this story:
Elissa Shevinsky, formerly the chief executive of JeKuDo, is now the head of product at Brave.
Matt Wollenweber who now works at ThreatStream, was not affiliated with them at the time of this interview.