What the Chamber of Commerce won’t tell you about the Cybersecurity Information Sharing Act

The number one thing the U.S. Chamber doesn’t want you to know: CISA would have done absolutely nothing to protect against the OPM breach or any others like it.

Photo Credit: https://www.flickr.com/photos/mjb/

The U.S. Chamber of Commerce has quietly lobbied for some version of the Cybersecurity Information Sharing Act (CISA) since at least 2009. On the surface, the concept seems simple: encourage companies to share information about cyber threats so that we can address them more quickly. It sounds benign, but the bill is not.

Here’s what the Chamber isn’t telling you: Rather than creating incentives to strengthen network security, the bill simply encourages companies to share their customer’s private data with the government in exchange for liability protections. Technologists see weak network security and want to strengthen it. Executives see the same vulnerabilities and want to protect themselves from fines or future regulation.

The result is that you have technologists on one side, and the Chamber’s corporate lobbyists on the other. But this bill represents more than just another corporate handout. While it ostensibly positions the Department of Homeland Security, a civilian agency, as the agency to lead U.S. cybersecurity operations — the hub government recipient of sensitive information — the bill also provides for automatic and instantaneous sharing of that information with the National Security Agency (NSA) and domestic law enforcement. This mass-scale transfer of private information to the government does just what the Chamber wants to hide from you: It makes CISA a surveillance bill.

But something went wrong with that plan. People are taking notice. Internet users (ironically) generated millions of faxes, telling the U.S. Senate that you oppose cyber-surveillance. In a week of coordinated action in July, dozens of public interest organizations sent letters and made noise on their blogs, explaining in detail what’s wrong with the bill.

Last week, the Chamber of Commerce sought to address the hubbub with a blog post called, “Cyber Fact and Fiction: Debunking Five CISA Myths.” Rather than address the real issues, the post simply reasserts the same tired talking points. Here’s what the Chamber of Commerce isn’t telling people about CISA.

What the Chamber says:

“CISA’s definition of cyber threat indicators (CTIs) is very limited.”

What the Chamber isn’t telling you:

CISA drastically lowers the standard for what can be shared with the U.S. government. Since 2003, the National Council of ISACs has operated Information Sharing and Analysis Centers (ISACs) to help companies share information with each other and the government. CISA lowers the standard accepted practice in several ways. CISA encourages a company to share “any attribute” of a cyber threat. The bill only requires companies to remove personally identifying information if they “know” that the information is not “directly related” to a cyber threat. And because the bill rewards companies for sharing (and ignorance is at least hypothetically blissful), the obvious incentive is to include everything. The bill requires no secondary scrub of the information before it is shared with other agencies.

What the Chamber says:

“CISA does not authorize the government to surveil individuals, such as targeting crimes unrelated to cybersecurity.”

What the Chamber isn’t telling you:

The bill would expand existing surveillance powers even without authorizing new surveillance. The bill does not authorize the Federal Bureau of Investigation (FBI) or NSA to conduct surveillance activities. However, the bill does allow brand new streams of personal information to flow to agencies tasked with surveillance, and nothing in the bill prevents these agencies from using information shared to advance law enforcement or intelligence operations. In other contexts, we’ve seen that the FBI routinely (and warrantlessly) digs through information provided to the agency. The NSA is also known to use Cyber Threat Indicators to conduct surveillance on the backbone of the internet.

What the Chamber says:

“CISA does not permit so-called hacking back — companies are not authorized to destroy or render computer systems unusable.”

What the Chamber isn’t telling you:

CISA would authorize companies to launch damaging “countermeasures” against perceived attackers. While it would prohibit measures that cause “substantial harm,” it doesn’t define what damage would be considered “substantial.” That means that countermeasures (also known, less euphemistically, as “hack backs”) could purposefully cause significant harm, as well as cause additional unforeseen effects. It is likely that innocent users would be harmed by hacking back, which would be further complicated by the fact that attribution is notoriously difficult. Overly broad definitions and undefined terms is clearly a characteristic that permeates the bill.

What the Chamber says:

“CISA contains multiple, overlapping provisions to guard and respect privacy.”

What the Chamber isn’t telling you:

The law overrides far more expansive privacy protections than it contains (which are few and weak). The authorization begins, “notwithstanding any other provision of law.” Current sharing occurs consistent with privacy laws. Under CISA, those laws are overridden, from ECPA to HIPAA. And the “notwithstanding” language could even be read to preempt common law, even if that’s not what the authors intended.

What the Chamber says:

“Businesses are not granted liability protection when sharing CTIs with the DoD and the NSA — which preserves the status quo.”

What the Chamber isn’t telling you:

Any information would in fact be shared with the Department of Defense (of which the NSA is a part). While the bill allows companies to share information with any agency, the (super broad) liability protection would, in fact, only apply to information shared with the Department of Homeland Security. However, DHS is then required by the law to automatically share that information with other agencies, such as the NSA. The Chamber’s argument is the equivalent of claiming that it’s not responsible for moving the car forward if all it does is push down the gas pedal.

The Cybersecurity Information Sharing Act is a fundamentally flawed bill. It is not designed to protect privacy, civil liberties — or even networks. And here is the number one thing the U.S. Chamber doesn’t want you to know: It would have done absolutely nothing to protect against the OPM breach or any others like it. The Senate should put away consideration of this bill and begin a public conversation about real ways to protect insecure networks.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.