Senators are back from a week-long recess this week and rumblings on Capitol Hill indicate one of their first priorities could be the oft-delayed and opposed Cybersecurity Information Sharing Act (CISA) — a bill intended to boost the public-private exchange of cyber threat indicators cybersecurity experts now say would do little to prevent cyberattacks.
“Sharing information about cyber attacks and vulnerabilities is a critical requirement for cybersecurity,” said Russ Spitler, vice president of product strategy for network security provider AlienVault. “Until the organizations and people responsible for defense of our systems are able to effectively collaborate, hackers will continue to prey on our relative isolation to perpetuate large scale attacks. However, CISA does not provide this for us.”
In 2012 AlienVault launched Open Threat Exchange, a crowd-sourced threat intelligence sharing platform that counts HP and Intel Security among its member companies. Open Threat Exchange supports more than 26,000 participants in over 140 countries and contributes more than one million threat indicators daily.
“Sharing and collaboration has never come as a result of government regulation,” Spitler said in a statement. “Some of the most notable achievements of effective collaboration are seen in projects like Wikipedia — projects that are successful due to a driving need and a community that requires a solution to a pressing problem – not as a result of regulation.”
Republican leaders in the upper chamber could bring the bill to the floor as early as Tuesday and begin considering a slate of more than 20 amendments Republicans and Democrats agreed to before the August recess.
Majority Leader Mitch McConnell along with Senate Intelligence Committee Chairman Richard Burr and ranking member Sen. Dianne Feinstein — the bill’s chief sponsors — had originally planned to vote on the bill prior to Congress’ late summer break, but were forced to put that vote on hold as a result of pushback from Democrats and privacy activists.
The Electronic Frontier Foundation, Fight the Future and others flooded the upper chamber with six million faxes in July opposing CISA, which they described as a “surveillance bill masquerading as a cybersecurity bill” over provisions allowing private companies to share “cyber threat indicators” with the government, without removing unrelated user data including IP addresses, emails and passwords.
Proponents argue the bill is “entirely voluntary” and not intended to provide members of the intelligence community, such as the National Security Agency, with more personal data on Americans — data the bill calls on public and private entities to remove, according to the Protecting America’s Cyber Networks Coalition — a tech industry group supporting CISA.
Last week the Computer & Communications Industry Association, a tech trade group representing tech and telecommunications companies including Facebook, Google, Microsoft, Yahoo, Amazon, Netflix, eBay, Sprint and others, released a public statement opposing CISA.
“CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government,” public policy and regulatory counsel for CCIA Bijan Madhani said in a statement.
Though the group reported pushback from some of its members on its position, Silicon Valley giants like Apple have already publicly come out against the bill on their own.
“In addition, the bill authorizes entities to employ network defense measures that might cause collateral harm to the systems of innocent third parties,” Madhani continued.
According to CCIA those measures include “hack-backs,” or retaliatory cyberattacks by victims of cyber intrusions.
Director of NSA Adm. Mike Rogers recently warned companies and agencies should be “very careful about going down this road,” and Deputy Secretary of Defense Robert Work added such defensive countermeasures could spark a “second, third and fourth order of [unanticipated] effects.”
“CISA does not permit so-called hacking back,” the Protecting America’s Cyber Networks Coalition said in its statement supporting the bill. “[C]ompanies are not permitted to destroy or render computer systems unusable. The bill ensures that defensive measures are properly confined to a business’ own networks or to those of its customers.”
The House passed similar companion bills earlier this year, including the Protecting Cyber Networks Act, which allows private companies to similarly share user information with government agencies. If the Senate pass CISA, the chambers will proceed to conference.