On CISA

I have avoided writing about the Cybersecurity Information Sharing Act (CISA), largely because the details kept changing. (For those not following closely, similar bills were passed by both the House and the Senate. They're now being combined into a single bill which will be voted on again, and then almost certainly signed into law by President Obama.)

Now that it's pretty solid, I find that I don't have to write anything, because Danny Weitzner did such a good job, writing about how the bill encourages companies to share personal information with the government, allows them to take some offensive measures against attackers (or innocents, if they get it wrong), waives privacy protections, and gives companies immunity from prosecution.

Information sharing is essential to good cybersecurity, and we need more of it. But CISA is a really bad law.

This is good, too.

Posted on November 17, 2015 at 12:03 PM • 31 Comments

Comments

Hugo LeisinkNovember 17, 2015 12:31 PM

Increased security is not gained by giving up privacy, but it is gained by improving security. This might sound silly, but there is really a lot to improve. The average IT professional knows little about security. Often, I meet developers who don't know how SQL injection works, administrators who don't know much about server hardening, project managers who never heard about penetration testing. I truly believe that about half of all IT personal knows too little about security to do his/her job right. Surveillance and catching criminals is not the solution to cyber crime. Improving security is. It is time for politicians to realize that.

rgaffNovember 17, 2015 12:35 PM

@Hugo Leisink

They won't. Because it's human nature, once intoxicated with a little bit of power, to want more and more of it. Our leaders aren't trying to improve security, they're trying to grab more power. Security is just an excuse to try to explain it away.

Hugo LeisinkNovember 17, 2015 12:49 PM

@rgaff: No, that's not true. Not every politician is an evil maniac with a hunger for power. Sure, some are, but many of them are simply trying to do their best.

The problem here is knowledge, or beter, the lack of it. Computers are complex devices. Microsoft, Apple and others did their best to make the computer easy to use for almost everybody, but that doesn't change the fact that a computer is a complex device. Only few know exactly how a computer (and the internet) works. Almost every politician doesn't. Of course, a politician can ask experts to advice them, but how can one know who is a true expert. It takes an expert to judge an expert. Who is a politician going to believe. What story should he believe? Why should he believe the story about more surveillance and not about more privacy, or visa versa?

ESNovember 17, 2015 1:27 PM

I believe the core problem is not knowledge, lack thereof, or desire for power. I think it is the job description. CIA, NSA, FBI, etc... their job is to "protect" USA citizens from physical harm caused by certain groups and to collect information. Their job is not to "protect" privacy or freedom. They are just trying to do their job to the best of their ability. Many of them probably know by now that privacy will be lessened if they get what they want. But being concerned about privacy is not part of their job.

Either the job description needs to change or new agencies with the same level of power need to be put in place to protect privacy and freedom to create a balance of power. Neither will happen until we (voters) tell our elected officials that their jobs are to prioritize protection of privacy and freedom over physical harm.

SaraNovember 17, 2015 1:33 PM

I would agree with Hugo that knowledge is huge part of the issue. We have leaders passing laws governing cybersecurity when the majority of them don't understand any of it.
Giving up privacy or allowing backdoors in encryption are all adding to the overall issue, not fixing it.

B613November 17, 2015 1:35 PM

Really, appears to be as I thought it would be, bad.

As it is, companies have a lot of different regulations to adhere to, for the protection of confidential data: there are corporate regulations, regional governmental regulations, national governmental regulations, international governmental regulations, customer regulations. And then there is sheer risk of exposure because of loss of confidential data.

All of this can be bypassed: corporations need only have a separate "black box" where they store all data "for security purposes". No data retention laws and regulations can apply.

As long as the data is secured, there is not even any other reason for any auditor to be able to complain.

And this means they can store all data.

Who is to say what data may not have security ramifications.

All you have to do is say to the auditor, "well, this server is where we store data for the government's CISA program".

And if that corporation wants to also examine that data, why not? Just because they perform intensive processing on it does not mean it is not also stored for the government under CISA. Those systems just become part of the 'black box' for CISA.

Win for corporations, win for government.

As for otherwise, for companies that decide not to go that far, does attack data often have confidential data in it? Yes.

This also gives governments another option: if they want information from, say, for instance, Google, without a warrant, they could either just say "hey we are getting an attack via this user at this user's email account, it is bad, can you send us their data?" Or, they could forge the user's attack and justify it that way.

"Let's look at all this user's email, to see what they are up to, we need as much evidence as possible."

rgaffNovember 17, 2015 1:46 PM

@Hugo Leisink, Sara

If the problem were mere knowledge, then why wouldn't politicians simply READ what virtually EVERY INDUSTRY EXPERT says? Instead of purposefully promoting fear to the masses and draconian anti-freedom measures that gives themselves more and more power? You don't stamp out evil in the world by grabbing more power and becoming more and more ruthless, you just become the evil of the world by doing that.

Hugo LeisinkNovember 17, 2015 2:03 PM

@ES: The NSA is not the problem. If the world took IT security more seriously, internet criminals wouldn't have such an easy job as they have now. Then we wouldn't need the NSA for that. Again, lack of knowledge is the key problem.

@rgaff: You're underestimating the true power of the dark side^H^H^H^H^H^H^H^H^H lobbyists. And besides that, most politicians don't have the time to read all that.

Martin WalshNovember 17, 2015 2:14 PM

@Hugo Leisink

You could have saved yourself a lot of typing if you simply commented "everyone is stupid...except for me."

Hugo LeisinkNovember 17, 2015 2:46 PM

@martin: That's lame. I never said I have all the knowledge. If for some reason you don't agree with what I said, criticize my comment, not me personally.

rgaffNovember 17, 2015 2:56 PM

@Hugo Leisink:

"READ what virtually EVERY INDUSTRY EXPERT says?"

"most politicians don't have the time to read all that."

You're being obtuse. You are purposefully evading my point, and bringing up things that don't matter. Obviously nobody has time to read EVERYTHING... but if EVERY industry security expert is saying the same thing... improve security by making encryption better and its use more widespread, for example... and you do the opposite of that by essentially declaring all industry security experts enemies of the state... you're obviously not paying attention to even ONE of the many industry experts!

Therefore, the problem is not simply education, the problem is drunkenness on power. Our leaders grab more and more power, and steadfastly refuse to listen to reason (i.e. eduction, knowledge) showing that's a bad idea.

FYI, I don't want to be right... I wish my declaration of all politicians as evil incarnate and rotten to the core power hungry money grabbing thugs and criminals would actually give them pause, and make them turn back another way.... but I doubt it will...

AJNovember 17, 2015 2:59 PM

Does CISA have an effect on the negotiations with the EU over individual's privacy? Maybe it will just make the wall higher...

Hugo LeisinkNovember 17, 2015 3:12 PM

@rgaff: I assume you and I have the same ideas about how to deal with security, privacy, etc. But there are also a lot of 'experts' out there telling different stories. Sales people from companies trying to sell surveillance equipment, lobbyists from the music and movie industry, people from the police / justice department really thinking that collecting as much data as possible is the right way to go, etc. How is a politician able to tell the difference between a real expert and one with a hidden agenda?

rgaffNovember 17, 2015 3:15 PM

@ AJ

It's just plunging the sword into the heart of American businesses once more, I mean, it wasn't stillborn enough on a world market, gotta make sure it's really dead.

Either that or American politicians believe the USA is so secure in its worldwide dominant dictatorship over every other country, that they don't have to even have a pretense of caring any more...

There isn't really a middle ground...

rgaffNovember 17, 2015 3:34 PM

@Hugo Leisink

OMG a sales person is not an expert.... a person with a vested interest in also wanting more power (i.e. law enforcement) is not an expert... Experts are the ones who actually DO STUFF. The ones who actually design things. The ones who actually build things.

So, you're essentially saying, politicians are so well insulated, surrounded and beguiled by people with agendas, that they can't find A SINGLE SOUL that will give them an honest opinion... when there are honest opinions all over the internet... just look at this blog, for example... Bruce is just a nobody?

I don't buy this, because in my personal experience, people who can't hear experts can't hear because of their OWN PERSONAL agendas (like getting more power, money, etc for themselves) not because of the agendas of those around them. Experts can be right up in their face and they will not hear, they will only get annoyed and vindictive.

Hugo LeisinkNovember 17, 2015 3:57 PM

Ok, 'sales person' were not the right words. What I meant was someone who claims to be an expert, but who's only interest is making sure that the company he works for will be able to sell a lot of surveillance equipment to the government.

Companies simply have more time, money and willpower to do some serious lobbying than a security expert has. The expert is probably working for some IT company, who has no interest in convincing the government to respect privacy. In my opinion, one of the main reasons privacy loses so many times.

BardiNovember 17, 2015 4:08 PM

"allows them to take some offensive measures against attackers (or innocents, if they get it wrong)"

Change the "if" in the parens to "when", as it happens every time.

Is no one in Congress aware of Murphy's Law?

rgaffNovember 17, 2015 4:50 PM

@Hugo Leisink

No that sounds like the right definition of "sales person" with the ones I've worked with... Only I would have used stronger language, of course :)

There is no question that lobbying is a big influence and not in a good way. But in my opinion there has to be something personal too, for such a huge percentage of politicians to be so blind... anyone who really wants to know something can find it without too much difficulty, this is the information age after all. I will not give politicians a free pass and let them off the hook for their stupidity.

BlakeNovember 17, 2015 5:52 PM

@rgaff

> Because it's human nature, once intoxicated with a little bit of power, to want more and more of it.

@Hugo

> If the world took IT security more seriously

There may be a simpler explanation for both sides - Hanlon's razor - that "just good enough" is just good enough.

Things aren't always implemented badly because someone is trying to shaft you; sometimes it's because what's already done kind of works, and your boss isn't giving you any more time for it and telling the higher-ups that it's ready to ship. "Only just working" still means "working". Who knows how many industries regularly function on the brink of collapse because that's the minimum amount of effort required to stay operational. It doesn't give us much of a margin for risk management, but one of Bruce's better general observations is that humans are terrible at assessing low probability events.


Question for Bruce: how do you think this "just give all your data to the government" attitude is going to play with the EU Safe Harbor provisions?

The very little I know about international law says that Trade Agreements trump national laws, meaning that companies might still be able to say "yeah we see your CISA but we raise you this multinational trade agreement saying we can't share personal data of EU citizens, sorry." Either that or just do the Oracle thing and fragment all your datacenters into USA and EU shards.


JesseNovember 17, 2015 5:54 PM

Say Bruce, it seems that any news article I read about Congressional interaction with spying or privacy matters mentions Sen Ron Wyden in a positive light, as though he's the only law maker who comprehends that computers do more than pong and evil.

Do you have any impression that he really has these chops, and that he is not hobbled by any obvious conflicts of interest or do you suspect it might be just so much PR spin?

Because if he actually lives up to everything I read I just wonder why we can't put credentials like that in the Whitehouse right away. :P

SteveNovember 17, 2015 6:23 PM

Does using a private email client like Thunderbird with POP3 removing email from google's or hotmail's etc server once downloaded, in anyway thwart CISA. I suspect the answer is no but I thought I'd ask anyway.

albertNovember 17, 2015 7:24 PM

@rgaff,

I refer to Congress-critters. I don't think of them as power-hungry. Most just want to keep suckling on the Golden Teat, and they spend most of their time working towards that end. The result is not having time to read _anything_; it's the aides who do that. Try condensing cyber-security issues, or geo-political issues in the ME, into a short paragraph and you'll see the problem. I doubt whether any group of aides (let alone their boss) has read the entire ~5700 pages of TTIP. Probably no one in the White House has. TTIP (as NAFTA) will be responsible for the decimation of US industry.

Large corporations have total control of Congress, the White House, and the best judges money can buy. They don't want cyber-security, because they don't want to spend money on stuff they don't need. They are virtually unregulated, and their continued existence is guaranteed by our tax dollars. They are the root of evil, and they need to be uprooted.

They are moral cannibals, as the courts, Congress, and the POTUS. Moral (or Consitutional) arguments don't cut no ice.

. .. . .. _ _ _ ...

Clive robinsonNovember 18, 2015 5:37 AM

@ Andrew,

British will make iPhones even more secure.

No the world has not turned upside down whilst you sleep.

It's actually in the interests of --real-- National Security to do so. If you talk to anybody in the more senior ranks of both the UK, US and NATO military you will find them nodding their head on this.

Put simply those "man luggable" secure radio systems are coming to an end for general military use in many envisioned future combat zones. They are to big to heavy, don't have good battery life and turn the forward troops people carrying them into "sniper bait" and suprisingly for many people who have not had their butt in a cold wet shell scrape not much use for communicating with other ground troops. Further modern radio direction and ranging systems have even "low probability of detect" radio systems fixed within milliseconds these days, when coupled with GPS guided long range howitzer air burst shells, pressing the PTT is as good as signing your own death warrant.

What has happened is the troops like various emergency services find their mobile phones almost infinitely better, as one military signaler put it "Our troop commander can set up a conference call with those nearest his possition faster by giving an order to Siri not me."

Further it's cheeper to buy everybody in a troop a couple of Apple phones than it is one military man pack radio.

Importantly an iPhone is also a personal learning and entertainment device, which helps combatants better utilize their off patrol/guard time. The cameras enable forward intel to be more rapidly sent back for analysis, so on and so on.

Mobile phones are the "dream device" for "Soldier 21C" strategy where the set piece battles envisioned of the Cold War are for now just a distancing past.

So yes a high security slightly more ruggadized version of the mobile phone is what the military are interested in for good reason, as are most LEOs and other emergancy services. Oh and one other major benifit "they all play together" and "scale without issue" which despite the sales promises no other digital radio system gets even remotely close to...

GrauhutNovember 18, 2015 7:46 AM

@Hugo: "The problem here is knowledge, or beter, the lack of it."

No, the problem is politicians who don't want the clock to tick.

They need plausible deniability of knowledge in cases they don't want to decide.


"Tenet and Black pitched a plan, in the spring of 2001, called “the Blue Sky paper” to Bush’s new national security team. It called for a covert CIA and military campaign to end the Al Qaeda threat—“getting into the Afghan sanctuary, launching a paramilitary operation, creating a bridge with Uzbekistan.” “And the word back,” says Tenet, “‘was ‘we’re not quite ready to consider this. We don’t want the clock to start ticking.’” (Translation: they did not want a paper trail to show that they’d been warned.)"

http://www.politico.eu/article/attacks-will-be-spectacular-cia-war-on-terror-bush-bin-laden/


The Frenchies have a similar problem now, they know everybody knows they knew...

http://mobile.interieur.gouv.fr/fr/Actualites/L-actu-du-Ministere/Ouverture-de-la-journee-de-reflexion-sur-la-prevention-de-la-radicalisation

The reelection clock ticks.

Now they are searching for "magical encryption devices" because they need an explanation for doing nothing...

GrauhutNovember 18, 2015 7:56 AM

@Clive: "radio systems fixed within milliseconds these days, when coupled with GPS guided long range howitzer air burst shells, pressing the PTT is as good as signing your own death warrant."


The day will come when sending an iMessage in a war zone means the same...

Mark MayerNovember 18, 2015 9:20 AM

I'm not sure which is worse, waiving privacy rights without consent or giving corporations immunity. Removing accountability is not going to motivate business to improve their security.

@Andrew: I'm sincerely surprised you haven't yet been posted to ISIS headquarters. Not the one in Syria, this one - http://archer.wikia.com/wiki/ISIS_headquarters

AlexNovember 18, 2015 9:32 AM

@Hugo Leisink: "The average IT professional knows little about security. " -- you are very much correct sir! Even those who claim to be security experts have no clue. There are so many people in the field who claim to be experts at it but are 100% book-taught and couldn't hack a bathroom door with a credit card/Cat5 wire/screwdriver, let alone use a script kiddie script on a webserver. Forget actual injections/exploits.

I recently read an article in an accounting journal advising accountants on IT security from a so-called expert. All of the advice? Rubbish! Not one thing in the article would stop any of the attacks I've seen in the field over the past two years.

There was the usual complex password bullshit, wherein they suggest T!xA8* is more secure than thisisaverylongpassword. The former is likely to get written on a post-it note, e-mailed, or otherwise recorded where unauthorized people may find it, whereas the latter is much more likely to be remembered and its length will stop many attacks. I don't know about anyone else, but when I'm brute-forcing, I already assume it's complex and just use those options in the commandline. Similar for my rainbow tables.

Then there were the laughable recommendations, such as having people sign a piece of paper with some legalese rambling about security on it, to pop-ops on the screen with similar legalese at login.

No discussion about firewalls, intrusion detection, network monitoring, software patches, physical security, e-mail attachments, USB drives, sites like DropBox, employees installing rogue software, social engineering, etc. And this is from a so-called security expert!

Re: CISA -- I fail to see how this will improve anything other than creating the opportunity for government snooping and data mining. As the NSA has showed us: 1) Information gathered *will* be misused, as in the case of employees snooping on former romantic partners, etc. 2) The government doesn't know how to legitimately use it. 3) They'll lie about it every step of the way. And not the NSA, but others: 4) They'll use this information against you if it benefits them.

Great editorial in the NYT yesterday, "Mass Surveillance Isn't the Answer to Fighting Terrorism" : http://www.nytimes.com/2015/11/18/opinion/mass-surveillance-isnt-the-answer-to-fighting-terrorism.html?_r=0

albertNovember 19, 2015 2:10 PM

@Clive,
Are not these cell phones subject to the security of the tower system? Even if operated by the military, wouldn't they be prime targets? Easy to track by RDF systems.
.
The problem with ever more sophisticated systems is the exponential increase in the number of points of potential failure (PPF). Modern digital circuits a delicate and sensitive things, susceptible to EMP and microwave attacks, not to mention jamming. Enemies could infest an area with hundreds of wide-band jamming devices, attached to land mines or IEDs.
.
I often worry about our increasing reliance of sophisticated technology, in both military and civilian sectors. What's our fallback position? Our Plan B?

. .. . .. _ _ _ ....

WNovember 19, 2015 7:08 PM

Wouldn't information sharing in this case increase the cybersecurity risk? I mean, if data's being shared, it stands to reason a copy of it would need to be made to be shared. And if a copy is made and distributed, that means there's a massively increased attack surface to get at the same data.

How in the world would information sharing help cybersecurity in the slightest?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.