Posted by Kevin on December 29, 2015.
The long title for CISA is, “To improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes.” But not everyone thinks it actually will improve security.
The basic idea is that organizations can share threat information with the government from where it is shared to other participating organizations in almost real time. The theory is that armed with this information business will be able to recognize and defend against cyberattacks before attackers can gain a foothold.
The shared data will, again in theory, be scrubbed of personally identifiable information. However, there is a question mark over whether data cleansing and real time sharing are really compatible. Indeed, back in July of this year, the DHS voiced its own concerns in a letter to Senator Al Franken:
I am concerned that the Senate Intelligence Committee’s bill falls short with regard to privacy protections. I do not believe it imposes a sufficiently stringent standard for the removal of irrelevant personally identifiable information, and seems to fall short of the privacy-protective standards DHS has set for itself.
This will be exacerbated by big data analytics. The volume of data collected by government will rapidly lend itself to big data analysis which will, in turn, allow the extraction of personal information through correlation.
Privacy, however, is merely one of many criticisms leveled against CISA. W asked a number of Chief Information Officers from within the Wisegate community a simple question: Is CISA going to be good or bad for security? We gave eight options:
Fifteen votes were cast: four saying ‘good’, and 11 saying ‘bad’. The four votes supporting CISA were all based on the basic premise that information sharing is good for security – and the reality is that few CISOs would deny that. Nevertheless, some 73% of the CISOs believe that, overall, CISA will be bad for security. 37% believe that it is a surveillance bill in disguise; while as many as 50% simply think it does not address the real cybersecurity issues.
Twenty-five percent believe that it will further complicate an already complicated safe harbor situation. As things stand it is simply not legal under European law for US companies to export European PII to servers in the US – and pending judgment in the government Vs Microsoft case, it is probably not legal for US companies to store European PII anywhere. (The only acceptable approach would seem to be adequate encryption with the encryption keys unrecoverable by US government.)
The Schrems European Court ruling on which this is based takes Snowden’s NSA revelations as key. There is still considerable debate in the US over whether the NSA’s data collection is lawful or unconstitutional. CISA, however, would remove any doubt – it would be completely legal (and probably more hidden) under US law. That of itself would seem to make it even more plainly illegal under European law. When I put this to a US lawyer, her reply was, “It will indeed be interesting to see how that particular needle is threaded!”
To this layman it appears that the only long-term realistic solution would be for the European Union to change its data protection laws – and that would likely take many years.
But privacy and safe harbor-related issues are certainly not the only concern. One CISO is worried that more data will be collected than shared by the Federal Government. “Maybe the best way for us to see the value of this is to let the Federal Government collect information on itself and share it with the rest of us. After 5 years, then we can evaluate if there is any value in this endeavor.”
Another is concerned about the effect on existing laws. “From my understanding, law enforcement needs no probable cause to request the data. This in itself is a privacy infringement and basically makes current privacy agreements between companies and individuals obsolete.”
It seems clear that while the lawmakers are convinced that CISA will improve the nation’s security, those charged with actually doing so are extremely doubtful. So doubtful that for the sake of balance we should finish with the one favorable comment: “The bad guys share information much more and better than companies and the government. We need to take a page out of their playbook and see if we can learn to communicate, share, and collaborate ethically.”Submitted in: Perspectives |