twitter facebook rss

CISA: will it be good or bad for security?

Posted by on December 29, 2015.

The long title for CISA is, “To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” But not everyone thinks it actually will improve security.

Top Takeaways

  • More than 73% of CISOs think CISA will be bad for security
  • The most prevalent view is that it does not address the real security issues
  • Privacy concerns, both internal and in relations with Europe, are also highlighted

CISA: the background

The basic idea is that organizations can share threat information with the government from where it is shared to other participating organizations in almost real time. The theory is that armed with this information business will be able to recognize and defend against cyberattacks before attackers can gain a foothold.

The shared data will, again in theory, be scrubbed of personally identifiable information. However, there is a question mark over whether data cleansing and real time sharing are really compatible. Indeed, back in July of this year, the DHS voiced its own concerns in a letter to Senator Al Franken:

I am concerned that the Senate Intelligence Committee’s bill falls short with regard to privacy protections. I do not believe it imposes a sufficiently stringent standard for the removal of irrelevant personally identifiable information, and seems to fall short of the privacy-protective standards DHS has set for itself.

This will be exacerbated by big data analytics. The volume of data collected by government will rapidly lend itself to big data analysis which will, in turn, allow the extraction of personal information through correlation.

CISA: the CISO view

Privacy, however, is merely one of many criticisms leveled against CISA. W asked a number of Chief Information Officers from within the Wisegate community a simple question: Is CISA going to be good or bad for security? We gave eight options:

  • Good, because sharing information is good for security
  • Good, because law enforcement will get automatic notification of malicious code incidents
  • Good, because industry gets rapid notification of threat indicators from other organizations (at the moment this tends to happen only within specific vertical industries; CISA will expand this practice across all verticals)
  • Good, another reason
  • Bad, because it doesn’t tackle the real issues (unencrypted data, unpatched servers, poor security architecture etc.)
  • Bad, because it is a surveillance bill in disguise
  • Bad, because it will complicate an already complicated safe harbor situation (EU law forbids the passing of EU data to third parties while CISA encourages and provides immunity for it)
  • Bad, for another reason

CISA: Wisegate votesFifteen votes were cast: four saying ‘good’, and 11 saying ‘bad’. The four votes supporting CISA were all based on the basic premise that information sharing is good for security – and the reality is that few CISOs would deny that. Nevertheless, some 73% of the CISOs believe that, overall, CISA will be bad for security. 37% believe that it is a surveillance bill in disguise; while as many as 50% simply think it does not address the real cybersecurity issues.

Safe Harbor Issues

Twenty-five percent believe that it will further complicate an already complicated safe harbor situation. As things stand it is simply not legal under European law for US companies to export European PII to servers in the US – and pending judgment in the government Vs Microsoft case, it is probably not legal for US companies to store European PII anywhere. (The only acceptable approach would seem to be adequate encryption with the encryption keys unrecoverable by US government.)

The Schrems European Court ruling on which this is based takes Snowden’s NSA revelations as key. There is still considerable debate in the US over whether the NSA’s data collection is lawful or unconstitutional. CISA, however, would remove any doubt – it would be completely legal (and probably more hidden) under US law. That of itself would seem to make it even more plainly illegal under European law. When I put this to a US lawyer, her reply was, “It will indeed be interesting to see how that particular needle is threaded!”

To this layman it appears that the only long-term realistic solution would be for the European Union to change its data protection laws – and that would likely take many years.

CISA: Other Issues

But privacy and safe harbor-related issues are certainly not the only concern. One CISO is worried that more data will be collected than shared by the Federal Government. “Maybe the best way for us to see the value of this is to let the Federal Government collect information on itself and share it with the rest of us. After 5 years, then we can evaluate if there is any value in this endeavor.”

Another is concerned about the effect on existing laws. “From my understanding, law enforcement needs no probable cause to request the data. This in itself is a privacy infringement and basically makes current privacy agreements between companies and individuals obsolete.”

It seems clear that while the lawmakers are convinced that CISA will improve the nation’s security, those charged with actually doing so are extremely doubtful. So doubtful that for the sake of balance we should finish with the one favorable comment: “The bad guys share information much more and better than companies and the government. We need to take a page out of their playbook and see if we can learn to communicate, share, and collaborate ethically.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: Perspectives | Tags: ,