Congress’s Cybersecurity Plan Has Some Major Flaws

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://thinkprogress.org/election/2015/08/07/3688614/cisa-privacy-problems/

After being flooded with millions of faxes and phone calls, the U.S. Senate
postponed voting on the controversial cybersecurity bill that privacy
advocates warn could be a backdoor to more government surveillance.

Congress punted the Cybersecurity Information Sharing Act (CISA) vote to
September after privacy groups protested the bill, which cements a
voluntary relationship between private companies and the government, amid
concerns that it would unnecessarily put customers’ personal information at
risk.

“Information sharing can be valuable…however, without vigorous robust
privacy safeguards will not be considered by millions of Americans to be a
cybersecurity bill,” Sen. Ron Wyden (D-OR) said in a floor speech opposing
the bill Wednesday. “Millions of Americans will say that legislation is a
surveillance bill.”

Civil liberties groups including the Electronic Freedom Foundation (EFF),
New America, and American Civil Liberties Union (ACLU) urged the public to
call their senators to persuade them to vote against, what even the
Department of Homeland Security has deemed, a flawed bill with more than 20
proposed amendments.

But while Congress is officially on summer vacation, the Senate will still
have to face those flaws and hard questions on how to properly balance
privacy and security. ThinkProgress talked to Gabe Rottman, the ACLU’s
cybersecurity and privacy counsel, to get a look at the top privacy
problems senators will face when they get back.

CISA May Violate Current Privacy Laws

One complaint privacy advocates have is that CISA, as written, undercuts
existing privacy laws that give citizens power to hold companies
responsible for any digital recklessness.

“Private companies receive broad new legal protections for sharing personal
information with the government, when such sharing could potentially
violate existing privacy law,” Rottman said of the bill.

What could be worse, he said, is the companies who voluntarily participate,
“do not have to aggressively strip out personal information unrelated to
the threat. They have to review cyber threat indicators for information
that they know at the time of sharing is not directly related to the
cybersecurity threat and remove it. The problem is ‘know at the time’ that
it’s not directly related. In a lot of cases, entities won’t ‘know’ whether
the information is related at all.”

For example, a phishing email, those sent from seemingly familiar senders
such as a bank or former place of work, sent to different people widens the
net cast by companies and the government for catching any communications
that are potentially “directly related” to the original phishing email.

“Cybersecurity threats are so varied that a large amount of [personal
identifying information (PII)] could be deemed directly related or at least
arguably directly related, meaning that an entity is not going to know with
certainty that [a communication] not directly related and will leave it
in,” Rottman said.

“The bottom line is that most entities are just not going to have enough
information to ‘know’ at the time of sharing whether a particular
personally identifiable data point is related or not to the threat…many
will just overshare.”

Companies — Not Individuals — Would Control Sensitive Information

After Senate Majority Leader Mitch McConnell (R-KY) announced the delay of
the CISA vote Wednesday, Wyden echoed the sentiments that caused activists
and ordinary citizens to send north of 6 million faxes denouncing the bill.

“It prevents Americans from suing companies for losing their data,” he
said, noting CISA would permit companies to share customers’ personal
details, including email contents, financial information, and any
electronically stored data. “It is voluntary for the companies but for the
citizens…across the country it’s not voluntary. For them, this legislation
is mandatory.”

Rottman agreed, saying the bill would permit private companies to share
otherwise sensitive and heavily guarded information in the name of
cybersecurity: “The growing volume of sensitive information will make the
government databases even more tempting targets for cyberspies or
criminals, which will harm cybersecurity.”

Even Homeland Security Has Concerns

The federal agency charged with guarding the country’s and its citizens
digitally and physically said CISA’s framework could “contribute to the
compromise of personally identifiable information by spreading it further,”
according to a letter the agency sent to Sen. Al Franken (D-MN) last week.
“While DHS aims to conduct a privacy scrub quickly so that data can be
shared in close to real time, the language as currently written would
complicate efforts to do so.”

The bill is similar to a previous volunteer-led effort launched in 2014
where major retailers including Safeway, Walgreens, and Nike formed an
alliance with the Department of Homeland Security, Federal Bureau of
Investigation, the Secret Service to share real-time threat information
through a central intelligence-gathering system.

Under normal circumstances, Rottman pointed out, DHS would “conduct a
second sweep of the information to remove any PII that got through. Under
the bill, it is not allowed to do so, and it must automatically share the
information with the National Security Agency and other intelligence and
law enforcement agencies.”

That information is then “used to detect, investigate and prosecute a
variety of non-cyber-related crimes,” including those that fall under the
Espionage Act — legislation that has been the crux of many national
security investigations and government whistleblower cases.

It Wouldn’t Prevent The Most Egregious Hack Attacks

Most importantly, advocates proclaim the bill wouldn’t do anything to
preclude breaches, including China’s enormous attack on the Office of
Personnel Management, health records breaches, the notorious Sony hack, or
bad digital hygiene.

Robyn Greene, policy counsel for the New America Foundation’s Open
Technology Institute, agreed, tweeting the breaches that wouldn’t have been
prevented based on CISA’s language.

But we’ll just have to wait until after Labor Day to see if Congress agrees.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!