The U.S. Senate is prepping for another attempt at legislation to promote threat intelligence sharing, but one...
expert said the bill has "significant problems" and misses the mark.
The Cybersecurity Information Sharing Act (CISA) of 2015 is scheduled to go before the Senate this fall. There have been two previous CISAs to go before the Senate, both sponsored by Sen. Diane Feinstein (D-Calif.) -- one in 2012 and one in 2014 -- but both failed. And the early sentiment on this new bill -- sponsored by Sen. Richard Burr (R-N.C.) -- is that it is "slightly less bad" than the previous attempts.
The Electronic Frontier Foundation (EFF) has run campaigns against the legislation and has said in a blog post that new amendments to the CISA of 2015 fail to address the new "spying powers" that would be granted to government agencies.
Rebecca Herold, CEO of Privacy Professor, echoed this sentiment and said that as written, the bill doesn't promote threat intelligence sharing as much as it forces organizations to share data with the government or be put at a disadvantage with their competitors who do participate.
"The government is the collector, provides the repository for, and is ultimately responsible for the security of the data being shared," Herold said. "The government is not a reliable entity for such activities, as the long history of its many security incidents and privacy breaches demonstrate. Any entity entrusted to such actions should be an objective entity, and have those with demonstrated expertise and success in protecting data doing the work and management."
Herold also noted that the rules surrounding breach liability protection, which are designed to promote information sharing, are overly broad to the point that they eliminate all accountability.
"The protection from liability eliminates all accountability and recourse for those individuals involved in any breach of data," Herold said. "If monitoring includes the collection of personal information, and that information is used inappropriately, shared inappropriately or breached, the involved individuals would have no recourse. They would just have to deal with any associated harms themselves. This is not acceptable."
As currently written, the bill would also provide an exemption to the Freedom of Information Act, which Herold deemed "completely unacceptable, because it eliminates government transparency, and opens the door even further to the misuse and inappropriate sharing of data beyond the other provisions."
However, the EFF noted that there is a proposed amendment from Sen. Patrick Leahy (D-Vt.), which would remove that provision.
Ultimately, though, the EFF said the language used in the bill is far too broad and vague to be safe.
Rebecca HeroldCEO of Privacy Professor
"CISA's vague definitions, broad legal immunity and new spying powers allow for a tremendous amount of unnecessary damage to users' privacy, and it's highly unlikely that the public will learn about it. Even an amendment offered by Sen. Al Franken (D-Minn.), which narrows some of the definitions in CISA, does little to clarify its most troubling provisions."
Herold said it is important to create a sound and secure way to allow organizations to collect, share, and analyze cybersecurity threat and vulnerability data, but the government has not proven it can be trusted to be the collector of such data, and Congress has not proven it is capable of writing the necessary legislation.
"A significant problem, past and current, with legislators writing information security laws is that the vast majority of them have no clue about how to actually implement effective information security controls, and have even less understanding about what is realistic and not realistic when it comes to security technologies," Herold said. "And sadly, very few have demonstrated an actual effort in truly learning and understanding about information security.
"CISA, as written, would not significantly improve security and would create an entirely new set of inane bureaucratic requirements passed to falsely placate the fears of the public, and to stroke the insatiable egos of politicians who like to posture and look like they care, when all they are actually doing is flinging fear, uncertainty and doubt to inflate their own political importance."