111 K Street NE
Washington, DC 20002
- Toll Free 1.888.564.6273
- Local 202.783.3870
This week, the Senate is set to finally take up its Cybersecurity Information Sharing Act (CISA), S. 754. In the wake of several high-profile international hacking events, CISA is being sold as an essential component of national cybersecurity. Unfortunately, not only does this bill not address the fundamental difficulties with protecting our critical data, it also creates perverse incentives for companies and adds further to the massive collection of our private data by government agencies.
The main problem that CISA purports to solve is that of sharing data on cybersecurity threats and vulnerabilities between private companies and the government, and vice versa. It does this by providing companies who share cyber threat data with broad legal protections for sharing cyber threat indicators with the government.
But the bill falls well short on protecting your private data, containing overly broad language on what companies must do to prevent sharing around the sensitive personally identifiable information (PII) that can be attached to cyber threat indicators. This creates a worrisome incentive, because without a direct incentive to scrub the data they are sharing of innocent users’ PII, companies could end up sharing customers’ information with other companies that themselves may have inadequate data security, putting your data at further risk.
Even more alarming is what the government does with the data – potentially containing sensitive PII – that they receive from these companies. First, government databases themselves are obviously in need of heightened security, given the massive data breaches of the Office of Personnel Management and other agencies. Yet there is nothing in the bill that addresses the sometimes lax security and the large target profile of these major government databases. This is made far worse by the fact that upon receiving threat data from companies, CISA requires the Department of Homeland Security to immediately disseminate this data to a wide range of government agencies – which ominously includes the NSA and FBI.
CISA also gives companies the permission to retaliate against cyber threats, which could harm innocent sites, since hackers often confuse their online signatures by launching their attacks from third party IP addresses that they have commandeered.
Experts and advocates from all over the spectrum have been coming out to oppose CISA. A host of security experts and privacy advocates have emphasized that CISA is not even necessary and that it fails to protect individuals' privacy. Major tech companies and many of the largest websites have come out against the bill for the same reason, from Google, Facebook and Yahoo, to Yelp and Wikipedia.
Cybersecurity is certainly a crucial issue in an increasingly internet-dependent world, but CISA is the wrong approach. There are a number of amendments that could potentially improve the bill, which would certainly be good, but as the Open Technology Institute's Robyn Greene helpfully lists out, the bill is so fundamentally flawed that even amended it should not be worthy of support.