The Senate is currently debating a bill to give Department of Homeland Security unprecedented access to personal information, a measure intended to help to protect the nation from cyber attacks. Yes, that DHS, whose director just had his Comcast account hacked. Even stranger: DHS doesn’t even want the power it would be granted.
The bill is the Cyber Information Sharing Act, or CISA. It would give companies legal immunity to send DHS a broad range of information about the users of their websites. DHS would then be allowed to speed that (nominally anonymized) information along to the NSA, DoD, FBI, the FCC or other bodies. Through a byzantine series of twists and turns, that could potentially include foreign militaries.
In July, DHS officials pointed out various problems with CISA in a seven-page memo. They argued, among other things, that the bill “could sweep away important privacy protections, particularly the provisions in the Stored Communications Act limiting the disclosure of the content of electronic communications to the government by certain providers.”
But hey, what’s a little privacy loss in the name of better security? Unfortunately, according to DHS’s memo, CISA fails there, too. “These provisions would undermine the policy goals that were thoughtfully constructed to maximize privacy and accuracy of information, and to provide the NCCIC with the situational awareness we need to better serve the nation’s cybersecurity needs,” it said.
Speaking at a recent Passcode event, Doug Maughan, who runs the cyber security division of DHS’s science-and-technology directorate, underlined other concerns. If a cyber attack happens, Maughan asked, “Do you really want some centralized entity being the router for everybody? And isn’t there a better way for us to share information in a different fashion instead of one organization receive it all and then try to farm it out to everybody else? It would seem to me, in a global community, we ought to come with some more technically smart mechanisms for information sharing than a centralized hub.”
In some ways, DHS is already the centralized hub for cyber threat indicators. But some folks at DHS’s National Cybersecurity and Communications Integration Center (part of the Office of Cybersecurity and Communications) are working to help companies share information in ways that protect privacy and don’t involve the government. Among them are STIX, a “standardized, structured language to represent cyber threat information,” and TAXII, a set of standards for information sharing between two partners.
These efforts are already reshaping network security, and neither short-circuits existing privacy laws, DHS wrote in its memo. “Cybersecurity vendors are now integrating STIX/TAXII into their commercial products, further broadening use of the standard. DHS is already using this initiative to send out uni-directionally, machine-readable cyber threat indicators at near-real-time to one government agency,” it said.
These efforts, on top of the other ways most large companies share information with each other, make CISA look unproductive and possibly dangerous to DHS.
But the bill is being championed by national security hawks — and lawyers who say it would reduce the risk of getting their companies sued. Currently, companies that share data with the government generally do so via agreements with particular agencies — and that can lead to trouble when, say, a nondisclosure agreement with DHS does not cover the FTC or FCC, said Harvey Rishikof, senior counsel at Crowell & Moring and a former senior policy advisor to the office of the national counterintelligence executive. But under CISA, companies would be fully immunized against lawsuits, as long as they followed the rules, Rishikof said.
CISA may not accomplish much in terms of cyber-security and it perhaps detracts from privacy, but at least it’s winning with the lawyers, which is a bit like better security…a wee bit.