Homeland Security Watch

News and analysis of critical issues in homeland security

October 29, 2015

CISA and us

Filed under: Cybersecurity,Infrastructure Protection,Privacy and Security — by Philip J. Palin on October 29, 2015

Tuesday the Senate passed the Cybersecurity Information Sharing Act of 2015 by a vote of 74 to 21.   This bill is similar to a measure passed previously by the House.  Reconciliation is likely.

Part of the Congressional Research Service summary:

Requires the Director of National Intelligence (DNI), the Department of Homeland Security (DHS), the Department of Defense (DOD), and the Department of Justice (DOJ) to develop and promulgate procedures to promote: (1) the timely sharing of classified and declassified cyber threat indicators in possession of the federal government with private entities, non-federal government agencies, or state, tribal, or local governments; (2) the sharing of unclassified indicators with the public; and (3) the sharing of cybersecurity threats with entities to prevent or mitigate adverse effects…

Permits private entities to monitor, and operate defensive measures to detect, prevent, or mitigate cybersecurity threats or security vulnerabilities on: (1) their own information systems; and (2) with authorization and written consent, the information systems of other private or government entities. Authorizes such entities to monitor information that is stored on, processed by, or transiting such monitored systems.

Allows entities to share and receive indicators and defensive measures with other entities or the federal government. Requires recipients to comply with lawful restrictions that sharing entities place on the sharing or use of shared indicators or defensive measures.

Requires the federal government and entities monitoring, operating, or sharing indicators or defensive measures: (1) to utilize security controls to protect against unauthorized access or acquisitions, and (2) prior to sharing an indicator, to remove personal information of or identifying a specific person not directly related to a cybersecurity threat…

Exempts from antitrust laws private entities that, for cybersecurity purposes, exchange or provide: (1) cyber threat indicators; or (2) assistance relating to the prevention, investigation, or mitigation of cybersecurity threats. Makes such exemption inapplicable to price-fixing, allocating a market between competitors, monopolizing or attempting to monopolize a market, boycotting, or exchanges of price or cost information, customer lists, or information regarding future competitive planning.

Basically, CISA allows — encourages — owners and operators of cyber-networks to work with each other and the public sector to monitor and defend the networks. The legislation does this by reducing the chance of successful lawsuits involving actions taken for this purpose.

DHS will play a key role brokering private with private and private with public information flows.  In fact, according to The Hill — and what was said and done on the Senate floor Tuesday — “funneling the vast majority of CISA data through DHS was a key compromise the bill’s backers struck to win the support of on-the-fence lawmakers.” For some DHS is considered more circumspect than other federal options.

Many in the tech community have resisted the measure.  Most privacy advocates have been adamantly opposed.  There is evidence that some at DHS do not want the authority being granted to it.  But that’s not what Secretary Johnson seemed to say.

According to Wired:

The version of CISA passed Tuesday, in fact, spells out that any broadly defined “cybersecurity threat” information gathered can be shared “notwithstanding any other provision of law.” Privacy advocates consider that a vague and potentially reckless exemption in the protections of Americans’ personal information. “Every law is struck down for the purposes of this information sharing: financial privacy, electronic communications privacy, health privacy, none of it would matter,” says Robyn Greene, policy counsel for the Open Technology Institute. “That’s a dangerous road to go down.”

Given the recent spike in hacks, seems the body-politic has decided better the devil you know than the devil not known.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn


Comment by William R. Cumming

October 29, 2015 @ 1:18 am

Legislation silent on encryption issues and policy?

Comment by Philip J. Palin

October 29, 2015 @ 7:20 am

Bill: If I understand the intent of your question: This legislation does not address the prospect of individualized encryption technology to significantly curtail the ability of law enforcement to track digital trails. My read is that, if the House and Senate versions can be reconciled, corporations will be given substantial legal immunity for sharing customer and other information they do have with the Feds for the purposes outlined.

Despite law enforcement concerns, earlier this month the President said his administration would not try to ban encryption. Until yesterday I thought the UK might be the real test-case. But I perceive there is an increasing recognition that encryption is inevitable.

Comment by William R. Cumming

October 29, 2015 @ 10:45 am

Thanks Phil! Review the movie SNEAKERS!

Comment by Vicki Campbell

October 30, 2015 @ 12:08 am

I think this is a faux bill, supported by no relevant constituency in any direction, much more rightly called a cybersecurity problem than a cybersecurity solution, whose primary if not only function seems to be to make it look like a bunch of politicians who barely know how to use their email, much less what’s really in the bill, are coming together and finally doing their jobs by supposedly responding to the ridiculous cybersecurity breaches experienced lately – while surreptitiously facilitating the dramatic expansion of the all-citizens-all-data-all-the-time mass surveillance of the American people by the NSA, with impunity (via DHS, as if that didn’t just make it worse) – and whose sheer volume increasingly leaves no chance of being effectively filtered. Indeed, under the bill, DHS not only will be sending the information immediately on to the NSA as well as the Dept. of Defense and the Office of Director of National Intelligence, but it “gives Homeland Security the power to share that data with ‘any Federal agency or department, component, officer, employee, or agent of the Federal Government.” And Jea Johnson really does seem to have the any-security-at-any-cost-to-anyone contest all locked up, which is anything but reassuring, given that the bill essentially contains no restrictions whatsoever on what personal data can be shared, and effectively no incentives for redacting irrelevant but sensitive personal data – and provides for even less oversight of this “information sharing” than even the NSA.

Not only is there no meaningful proof much less even mild consensus that current privacy laws are in any way threatening the security of private electronic network infrastructures, otherwise known as the internet (which is what the bill is supposed to address) – or that the more wholesale information-sharing this bill encourages would address where the main cyberthreats or vulnerabilities currently are, or primarily were in the many recent high-profile hacking cases – the bill also continues to ignore the major technology recommendations from security experts (like strong encryption), as well as allows “companies to transfer vast amounts of private citizens’ personal data to government databases” according to the ACLU, again I might add, now with total impunity. Further, Richard Burr, Chairman of the Senate Intelligence Committee and sponsor of the bill, (as well as being my own lovely Senator), has already admitted that the bill won’t do what it was intended or represented as being able to do, but still insists it will somehow lessen the severity of security breaches, whatever that means. Finally, according to research from the Mercatus Center, of the approximately 68,000 “information security incidents” last year, absolutely none were traced or attributed to a lack of information-sharing of any kind.

But most importantly, as many others have noted, if this were actually about protecting private network infrastructures, the bill would be coming out of either the Commerce or the Homeland Security Committees, but its not. As just noted, its coming out of the Senate Intelligence Committee – and the intelligence community is the only people talking about, interested in, or supportive of it. In other words – this is a surveillance bill, not a security bill.

For me, its just the seemingly abject lack of respect for even the slightest right to privacy for the American public at this point, no matter how little benefit might be reaped in exchange, that I’m honestly starting to find pretty despicable.

What am I missing?

Comment by William R. Cumming

October 30, 2015 @ 10:19 am

Vicki! Excellent comment IMO!

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>