It looks good on paper: A bill under consideration in the U.S. Senate would encourage businesses and government agencies to share information about cyberattacks.
But critics of the Cybersecurity Information Sharing Act argue that it would allow the NSA and FBI to get their hands on personal information held by businesses.
The main objective of CISA, sponsored by Sen. Richard Burr (R-N.C.), is to protect businesses against customer lawsuits when they share so-called cyberthreat indicators with one another and with federal agencies. More sharing could help them better respond to threats, according to high-profile supporters such as the U.S. Chamber of Commerce and the National Cable & Telecommunications Association.
Cyberthieves have stolen personal information belonging to millions of U.S. residents in the past year, and CISA would help organizations fight off those attacks, Burr said earlier this year.
“We can no longer simply watch Americans’ personal information continue to be compromised,” he said in a statement. “This bill is long needed and will help us combat threats to our country and our economy.”
Several privacy and civil-liberties groups, however, say CISA wouldn’t clearly prohibit businesses from sharing customers’ personal information. Instead, it would require the U.S. attorney general to develop guidelines for businesses, under the assumption that their shared data would “unlikely” include personal information or identify specific people not involved in cyberthreats.
CISA is “about getting the lawyers out of the room and letting the engineers talk to each other,” — Supporter Alan Roth, senior executive vice president of ISP consortium USTelecom
Critics also say the bill would allow government agencies to use shared cyberattack information in investigations of activities completely unrelated to cybersecurity, such as espionage or suspected terrorist activity.
CISA has “several privacy defects,” says Greg Nojeim, senior counsel at digital-rights group the Center for Democracy & Technology. “It’s a surveillance bill in cybersecurity clothing.”
Supporters of CISA say the bill would help businesses and government agencies combat threats such as botnets and malware by encouraging them to share cyberthreat information in close to real time, instead of waiting for lawyers’ approval.
By the time lawyers give their green light, “these threats have already been disseminated well across the Internet,” says Alan Roth, senior executive vice president of ISP consortium USTelecom, a bill backer.
CISA is “about getting the lawyers out of the room and letting the engineers talk to each other,” he adds.
Groups such as the CDT that are raising privacy issues about CISA may have “honest concerns” but are misreading it, according to Roth, who notes that the bill calls for attorney general guidelines regarding the “timely destruction” of shared cyberthreat data, in addition to limited use of personal information.
The continuous parade of data breaches is a far greater threat to privacy than the information-sharing process the bill would set in motion, Roth adds.
In the “rare instance that some of that personal information might slip through, the overwhelming balance of interest here favors the millions of Americans who would rather see their privacy protected by not having their data stolen,” he says.
Republican leaders in the Senate are pushing for a floor vote on CISA this fall, though a group of senators from both parties blocked a vote in August. The House of Representatives passed a similar bill in April.
Critics say CISA contains several flaws:
- It lacks hard rules against businesses sharing or agencies retaining personal data.
- It lacks a clear definition of permissible cyberattack countermeasures. There’s a fine line between a defensive measure, and one that damages other computers or networks.
- It doesn’t prohibit government agencies such as the FBI and the NSA from using shared cyberattack information in investigations of activity unrelated to cyberattacks.
The bill “potentially opens up major loopholes for vast amounts of surveillance of innocent people who are suspected of wrongdoing,” says Evan Greer, campaign director of Fight for the Future, a digital-rights group that has pressured tech companies to oppose CISA.
Some critics also question whether CISA would be effective. In some recent data breaches, attackers have used novel approaches to target specific companies or government agencies. Sharing those methods might have a limited application to other organizations, they say.
And many data breaches, Greer says, stem from a company or government agency “essentially not locking its front door.”
CISA is a Band-Aid attempt to take action on cybersecurity, Greer says, noting that previous attempts to regulate security practices failed due to opposition from business groups.
Instead of protecting businesses against lawsuits, “we need to be taking steps to improve our digital hygiene, to use basic security practices,” she adds. “We should be holding companies and the government responsible, if they fail to do so.”