Sergey Nivens - Fotolia

CISA added to budget omnibus, with privacy protection stripped

The Cybersecurity Information Sharing Act passed after being added to the emergency budget omnibus bill, but critics warned the privacy protections have been stripped out.

The Cybersecurity Information Sharing Act (CISA) has consistently been criticized by security and privacy advocates, but the bill has passed the House and Senate at the time of this publication on Friday after being packaged with an emergency budget omnibus bill.

Congress introduced an emergency 2,000-page budget bill, into which the reconciled CISA bill was inserted. Experts said that because the emergency budget bill is needed to prevent a government shutdown, it is very likely to pass.

Rebecca Herold, CEO of Privacy Professor, said the bill, as presented, may not be the final version.

"There is still time to make changes in the bill, and privacy groups are scrambling today and pushing for such changes," Herold said. "However, since President Obama has already expressed his approval for including CISA in the bill, it is highly unlikely that he will veto it. And to do so would likely result in much harm to those that the other parts of the bill cover."

CISA has been touted by Congress as a way to promote threat-intelligence sharing between enterprise and the federal government. And although it was criticized, there was hope it could be fixed in reconciliation. However, the version of CISA included in the omnibus has removed a number of privacy protections.

According to Mike Masnick, founder and CEO of Floor64, Congress has dropped "all pretense that CISA isn't about surveillance."

Masnick said the latest version of CISA removed the restriction on information being shared directly with the National Security Agency instead of being filtered through the Department of Homeland Security; it removed restrictions on the information being used for surveillance purposes; it allows for information to be used to pursue criminal activity, rather than only being used for cybersecurity; and it removed the requirement of anonymizing Personal information unrelated to a cybersecurity threat.

Evan Greer, campaign director for Fight for the Future, the campaign group which rallied against the Stop Online Piracy Act, said it is clear that CISA was never intended to prevent cyberattacks.

"It's a disingenuous attempt to quietly expand the U.S. government's surveillance programs, and it will inevitably lead to law enforcement agencies using the data they collect from companies through this program to investigate, prosecute and incarcerate more people, deepening injustices in our society, while failing to improve security," Greer wrote in a blog post. "Congress has failed the Internet once again."

Herold said the law, as written, could end up causing more privacy breaches.

"They did include in the bill for federal and nonfederal agencies to establish procedures to remove personal information 'not directly related to a cybersecurity threat' prior to sharing. But it is worded broadly and open to interpretation," Herold said. "It is so ironic that a law written to help prevent security incidents could ultimately result in more privacy breaches, because security -- anonymization methods, etc. -- requirements for sharing data were not explicitly required or detailed within the law."

Adam Kujawa, head of malware intelligence at Malwarebytes Labs, remained optimistic that the trend towards privacy would prevail, despite there being no overt requirement in the legislation.

"Regardless of any actual government legislation, a lot of companies have taken many steps toward securing their user data, as well as being more transparent on what they do with that data," Kujawa said. "Therefore, regardless if this bill passes and if companies are not required to sanitize their information, public opinion and a general shift in how personal data is perceived could be enough to make companies remove that data from any threat intelligence they send to the government."

Adam Meyer, chief security strategist for SurfWatch Labs, said Congress adding CISA to the omnibus instead of through the normal process was "a move of desperation."

"Congress has never been able to pass a single cybersecurity law, and with all the high-profile breaches in the daily news, there was a strong desire to 'do something,'" Meyer said. "Attaching it to a bill that has to pass in order for the government to function is a sure way to get it through the process."

Herold wasn't as diplomatic with her assessment of the action.

"This is not leadership," Herold said. "It is demonstrating the duplicitous actions lawmakers are willing to take to promote their own agendas and get laws passed that are, ultimately, not good for the general public, but that support their own misguided goals established as a result of widespread lawmakers' technology ignorance."

Next Steps

Learn how threat intelligence fits into a security strategy.

Learn more about threat intelligence sharing and the government's role.

Learn how the Cybersecurity Information Sharing Act could affect enterprises.

Dig Deeper on Information security laws, investigations and ethics