The United States Senate this week passed a controversial cybersecurity bill designed to facilitate sharing of threat data between private companies and the government in an effort to prevent data breaches.
If the Cybersecurity Information Sharing Act (CISA) becomes law, it will be easy for private sector companies to share threat data with the Department of Homeland Security and other agencies. The information will be used to fend off cyberattacks aimed at American companies.
However, privacy and civil liberties groups claim CISA can have serious privacy implications as it gives companies free rein to share their customers’ personal information with the NSA and the FBI.
CISA in its current form is opposed by many, including whistleblower Edward Snowden. Experts contacted by SecurityWeek pointed out that while the bill is good in theory, there are some serious issues that need to be addressed.
And the feedback begins…
Tom Bain, VP Security Strategy, CounterTack:
"This is yet another key example of how politicians pretend to understand an issue and attempt to enact policy that follows.
Without any real enforcement capability in sharing intelligence, it's a waste of time. There's already enough sharing in place in some respects, but it's really all about the type of threat a given organization or agency is dealing with that will determine what type of intelligence is worth sharing.
No doubt there's a need to share information, but how that information is shared is what also should be weighed, almost as a transaction, because attackers will pounce if they know some mildly secure process is put in place for this, or if it's leaked or just available for the repository this intelligence is stored."
Ryan Trost, CTO and Co-Founder, ThreatQuotient:
“The problem with the bill is deeply rooted in the core of the government culture where information sharing is difficult given either the data classification levels to share (government to private industry) or the lack of analytical trust amongst each other (government to government).
I spent years working in secure government operations centers and have seen this firsthand. I also think the government is heavily pushing the CISA bill to maintain a line of communication into ex-government analysts working in the industry sector. Over the past 5-6 years as the commercial industry has embraced the need for threat intelligence skills, they have done so at the mercy of the government workforce. Analysts that have been trained and groomed by 3-letter agencies have been enticed over to industry by companies that simply have a larger budget spend – more analysts, more tools, more information, etc. As a result, industry is getting more innovative with threat intelligence platforms that manage and correlate both external and internal security and analytics solutions.
The reality is that government will continue to share classified more relevant cyber threat intelligence amongst themselves and distribute unclassified likely aged threat data with industry; but time will tell if my skepticism is justified.”
Danelle Au, VP of Marketing, SafeBreach:
"The premise of real-time sharing of threat information between the private and public sectors makes sense. Shared security data can help us all be better prepared against the bad guys. In fact, coalitions formed to do this already exists -- CyberThreat Alliance, FS-ISAC etc. The challenge with the Cybersecurity Information Security Sharing Act (CISA) is it was created, written and passed by legislators without proper understanding of security. With vague, overly broad definitions of what constitutes cyber threat indicators, or how the information will be shared among other government agencies (like the NSA), large parts of this bill need to be rewritten in order to be effective. We need to go back to the drawing board on this. This is too important to fail."
Elad Yoran, Executive Chairman, KoolSpan:
"The goals of CISA are laudable. However, while good in its intent, the reconciliation effort between the House and the Senate should address the privacy concerns of the private sector. Failure to correct these deficiencies may undermine the goal of the legislation, as companies would be reluctant to share information with the government. The Snowden revelations gave U.S. tech companies a black eye in the marketplace because people perceived that these companies were compromising their users’ privacy. The technology industry learned this lesson painfully and is still feeling the impact. A current example is the recent EU Court of Justice’s decision to torpedo Safe Harbor, a direct result of its view that data collection mechanisms of the U.S. Government violated EU privacy laws.
Companies in other industries observed what happened to the technology companies and may therefore be reluctant to share data with the government, if people perceive this as infringing on their privacy. Congress should realize that strengthening the privacy elements of CISA, does not weaken the bill. In fact it does the opposite, it strengthens the resulting legislation and increases the probability that companies will share information.”
Jon Heimerl, Senior Security Strategist, Solutionary:
“The CISA bill sounds good in theory, but it may have difficulties in practice.
1. CISA relies on voluntary cooperation. No one knows how many breaches go unreported because the victim does not want people to know they are a victim. This will hold true in the future as well, and even companies which do share, are likely to withhold information about their vulnerabilities or environment which could potentially reveal trade secrets to their competitors. That information would probably be the same information which is most likely to help those competitors avoid being victims.
2. CISA relies on the effective cooperation and communication between Homeland Security, the FBI, the NSA, and other government agencies. Does anyone really believe that the bureaucracy behind a conglomeration of government agencies can get out of its own way and let the communication process flow cleanly and efficiently? Because in a breach, time is of the essence. If company A is under attack now, company B needs to know, right now, not three weeks from now after the information has been “shared’ through the red tape of a series of interagency communications.
The most significant issue is that CISA trumps other laws which protect the privacy of your information, like PCI, HIPAA and HITECH. If push comes to shove, and the government wants the data, CISA trumps everything else. And intended or not, do we want to put that trump card in the hands of the federal government?”
Anup Ghosh, Founder and CEO, Invincea:
"Privacy and security are not and should not be mutually exclusive; one cannot exist without the other. Helping foster the industry’s ability to thwart cyber attacks by sharing that information in real time helps to stop threats from spreading, but it is important to do this without exposing private citizens' data to potential government abuse. We need a balanced solution that can empower companies to share the latest attempts at cyber intrusions and unauthorized access, while at the same time protecting user privacy, civil rights and civil liberties. Congress should support industry in finding a solution that is fair and allows industry and private citizens to protect themselves while helping cyber companies to grow to fill the need.
The limits of information sharing are mostly attributable to the expectations of its value. Today, the expectations of its tactical value are often too high. For instance, most advocates of information sharing are focused on the tactical capture and distribution of attack signatures. In most cases, however, exploits and malware are not re-used, thus making sharing of signatures not terribly useful in its current form. If the threat intelligence is captured by software and automatically shared machine-to-machine, then efficiency gains by automation can make this effort more worthwhile."
John Dickson, Principal, Denim Group:
“I have deeply mixed emotions about CISA because I feel like information panacea, in general, is not a panacea, but I’m encouraged the government knows we have a problem. Nearly 2/3 of organizations that are breached hear from 3-parties according to the annual Verizon Data Breach Report. That happens not because they lacked timely threat intelligence – many times their own systems already had indicators of a breach – but because they usually don’t have the deeply talented people or repeatable intrusion detection processes to identify anomalies. I’d add that defining some of the liability protections was a step in the right direction, and certainly something the government can do to provide clarity in the marketplace.”
Bill Anderson, Chief Product Officer, Optio Labs:
“The security world equivalent of “If a tree falls in a forest and no one hears it, does it make a sound?" would be “If you have no idea your data has been leaked, is it still a violation?” (hint: of course it is). The Cyber Information Sharing Act brings privacy rights into the spotlight, and in theory, the government is hoping to make us more secure. But with so much of our personal and business lives existing online in today’s digital world, there’s a fine line between defining consumer privacy rights and defining meta-data collection parameters that know a little bit about all of us.
CISA may enable an expanded program of quiet government collection on individual’s data, but while the legislation states that data being shared can be stripped of PII, we have to wonder how easy it would be to put it together again to identify individuals and all of their activity. How do we know the new CISA repositories are going to be any better protected than the data lost in enormous breaches over the last five years? There is huge potential for sharing best practices and threat information within the industry, but let’s be realistic and admit that no-one is immune to any threats. Placing consumer information in a giant CISA repository is as much an invitation to attackers, as a tool for defenders. Let’s hope the next tree we hear falling is not an announcement that the CISA system has been breached.”
Andrea Limbago, Principal Social Scientist at Endgame:
"CISA is a good example of legislation that addresses the wrong problem. Public interest in digital security ebbs and flows with the news cycle, pressuring Congress to do something, but providing the opening to avoid the tough, technical and social decisions required to truly provide substantive change. After attempting to pass cybersecurity legislation for years, information sharing was in many regards the 'low hanging fruit' that could get passed despite its redundancy with many ongoing efforts. There currently are numerous outlets for information sharing – ranging from formal organizations like the ISACs to informal peer networks – and so this is unlikely to have significant impact.
In fact, even if information sharing does increase between the public and private sector, it will create a massive big data challenge for the government that requires a range of technical and personnel requirements for proper analysis. These are the same kind of challenges with connecting the dots of extant data that only become obvious post-incident.
CISA’s greatest long-term impact may instead be deepening the divide between government and the tech sector and civil liberties groups.”
Joseph Pizzo, field engineer at Norse:
“The general appearance of CISA looks to be a simple sharing of breach and exploit information with the government. When we move in closer and take a deeper look, that sharing of information becomes a little fuzzy. Based on the information that is intended to be shared (and shared and shared and shared) with potentially multiple government agencies, CISA lacks a few provisions that would offer protection. First, the proposed Amendments to CISA that were stricken appear to leave CISA a back door to potentially private information.
The information that could be shared covers various formats. This “back door” is potentially dangerous when looking at the volume of data and length of breach that occurred with the OPM breach several months back. I think the concern is that if data is shared among multiple agencies and the proof exists that this data is difficult to protect, the question remains, how can this be solid legislature?
Additionally, CISA does nothing to address the underlying issues of data, network and resource protection. It leaves the black hole of another breach open. This black hole can occur at any agency where the data has been shared. Ideally, personally identifiable information for citizens and network security would be addressed with a variety of solutions to protect this valuable data. CISA needs additional requirements to enforce a higher level of security and to provide enhanced privacy of data that is delivered.”
Mitchell Bezzina, Security Evangelist at Guidance Software:
“The CISA Bill opens the doors between government and private entities - rarely seen in intelligence gathering - to share cybersecurity threat indicators. This provides the community at large with the ability to better fend off threats unknown to their organizations. For example, if the forensic artifacts gathered from one attack could have been used to identify a breach in another similar organization prior to data exfiltration, it’s possible that over 50 million PII records this year alone could have been kept safe.
Private entities have been monitoring networks and endpoints for threat prevention, detection and defense for years and this will only heighten their ability to prevent the exfiltration of personally identifiable information of US and international consumers.
I hope that the CISA bill will be the first step in a string of related standards that allow and define the sharing of threat indicators.”
John Morello, Chief Technology Officer at Twistlock:
“It’s a sad day for citizens' privacy. The CISA bill has noble intentions to strengthen the nation’s security through information sharing, but to do so without any regard for the privacy of citizens is a mistake. It’s particularly surprising because you can easily argue that such unfiltered sharing actually increases our overall risk. When PII is shared so broadly and without control, it makes it more likely that it will be compromised downstream of the original spill, worsening future breaches.”
Dan Lohrmann, CSO and Chief Strategist at Security Mentor:
“Recently, there has been a rare bipartisan unity in Congress on legislative efforts regarding cybersecurity, as well as general support from the White House, which has been missing in previous years. Previously, the trouble has been that until you get the final version that both the house and senate both agree on, it is hard to know what will truly emerge and be signed by the President. As it currently stands, CISA ensures that organizations that share or receive information will not be sued for trying to improve their own, or others, cybersecurity. For now, this is a good step, but let’s wait and see what happens.”
Steve Durbin, Managing Director, Information Security Forum:
“Unfortunately this kind of lawmaking is exactly what we do not need since it fails to address the issues of transparency and of encouraging organizations to openly collaborate.
I’m not overly concerned about the spying component in all of this – that will happen regardless – what frustrates me more is that the real focus on addressing the issue of cyber security should be in education and support to deliver robust cyber resilience in our systems and enterprises. No one is better suited to securing our data than the enterprise that holds it and individuals themselves; I see nothing in this bill that reinforces the responsibility of the C-suite to protect data, nothing to encourage open and collaborative sharing for the common good and nothing to promote education on the issues of being safe in cyber.”
Todd Helfrich, director of federal sales, ThreatStream:
“Cyber sharing is already happening, but all too infrequently. It’s time to institutionalize voluntary cyber sharing that shields personal privacy, and CISA can do that.
CISA formalizes the voluntary exchange of information with the government. It would allow the private and public sector to share the digital ones and zeroes behind the back wall of computer networks, where cyber traffic is tracked. It’s the technical data IT professionals have access to and use to assess the threats on systems while learning the adversaries’ methods and tactics. These valuable data points are called cyber threat indicators (CTIs). Sharing CTIs is the key to stopping, and even preventing, hack attacks.
CISA would encourage more companies to collaborate by providing liability protection for organizations sharing CTIs. It’s already standard procedure in the cyber world to scrub data, so only what is necessary is shared. CISA does not extend protection to a company that knowingly shares PII. CISA will help move national cyber defenses from a reactive to proactive stance, so we can catch the 21st century crook.”
Alastair Paterson, CEO and Co-Founder, Digital Shadows:
“Fundamentally, you cannot legislate away blind spots and other protection gaps that are caused by lax security measures in organizations that need to improve. The enactment of CISA, itself, will not resolve many issues, and we are definitely trading some privacy for what is very little in return.
Companies share data already through schemes like the ISACs. Unfortunately, the sharing often only includes high-volume, more available data that often floods security teams already overloaded with irrelevant information they have to sift through. In general, sharing is often still limited in favor of competitive advantage, and CISA is unlikely to change that.”
Andrew Conway, research analyst, Cloudmark:
“Many American Internet companies have customers all over the world. Social networks, security companies, hosting companies, ISPs, webmail providers, and many other American businesses all have access to sensitive personal and corporate data worldwide. Their customers rely on them to keep that data private. In most cases that is backed up by non-disclosure agreements (NDAs) or privacy policies. CISA says that American companies can't be sued for breaching those NDAs or privacy policies if they share information with the US Government. That would make it hard for those American companies to attract and keep customers in countries with strong privacy laws.
If law enforcement is investigating a particular criminal, they can get a search warrant or subpoena to request information, so long as they can meet the legal requirements for doing so. American companies are happy to comply with legal requests. They will also provide evidence of third party criminal activity to law enforcement unsolicited whenever there is a reasonable chance that the criminals can be brought to justice. However, having the US government decide that NDAs and privacy policies are not legally binding will not help with that, and it will limit our ability to do business outside the US."
Ryan Stolte, Co-Founder and CTO, Bay Dynamics:
“The Cybersecurity Information Sharing Act (CISA) is a positive step in opening the channel of communication about indicators of compromise and other threat intelligence related to attacks coming in from the outside.
However, the Act is lacking in two areas which could make it counterproductive. First, as we have seen from the attack against the Office of Personnel Management, it’s tough to put our 100% trust in the government when it comes to how they are preventing our most valuable information from getting into the wrong hands. Under CISA, we will be sharing information with them and how are we supposed to know that information is being protected? Second, CISA is missing the boat on one of the core reasons why we keep seeing more breaches – security surrounding third party vendors. The lack of communication and visibility between organizations and the third party vendors they hire has led to numerous breaches and a government-backed framework may help close that gap.”