CISA Could Lead To Privacy Issues And Abuse, Security Channel Fears

A new Senate bill that gives businesses that suffer cybersecurity breaches immunity from provisions barring the sharing of information is causing great concern among the IT security channel because of the potential for abuse.

The Cybersecurity Information Sharing Act of 2015, or CISA, passed Tuesday by the U.S. Senate, is aimed at promoting information sharing between the public and private sectors. The bill sets up a system for threat intelligence information sharing between the two sectors led by the director of national intelligence.

The bill would bypass privacy and antitrust laws that currently prevent the sharing of information after an attack. In theory, sharing such information could allow other businesses more time to put in place procedures to prevent a similar attack on their operations.

[Related: Cybersecurity Bill Heads Back To Capitol Hill: 10 Things Every Security Solution Provider Should Know]

Sponsored post

The federal government expects that businesses' sharing data can help each other prevent multiple types of attacks, including cyber, terrorist and economic attacks. Under the bill, non-relevant information that could identify specific people could theoretically be stripped from shared threat intelligence, but could be used by whoever receives it for its own purposes if it is not removed.

Major tech giants, such as Apple, Google and Dropbox, that partner with solution providers have voiced their concerns about the bill, saying that it threatens information privacy.

Privacy advocates also warn that CISA will funnel data to the National Security Agency. A law forbidding the NSA from bulk collecting of U.S. call metadata just passed this past summer.

Meanwhile, supporters say that better information-sharing support between the public and private sectors will help facilitate better security for all involved.

While it is important that the government moves forward to combat cyberthreats, CISA may not be the best way to do so, said Jerry Craft, senior security consultant and chief information security officer at Nth Generation Computing, a San Diego-based solution provider.

Craft told CRN that he is a big fan of information sharing, but not when it comes to customer details.

"Sharing of personal information is something users have to handle themselves," Craft said. "But I'm not sure how preventing cybersecurity attacks can work without sharing details. We need the details to show down an attack. But [former NSA employee Edward] Snowden showed there are some dark places where sharing can go."

One place where more sharing is needed is getting information from the government, said Craft, who as a former CISO at a major bank dealt with government officials who seemed to want as much information as they could get without giving anything back.

"When we reached out to the FBI or the Secret Service, we did not get any information in return," he said. "We saw information exchange as a one-way street. It was, 'You tell us everything you know, and we'll tell you nothing.' The government should get together with a council of peers who can work together instead of a bill like CISA."

Chris Kirschke, vice president of solutions, security and cloud at Bedrock Technology Partners, a San Diego-based solution provider, told CRN he looked at the act and was very disappointed.

"It's an incomplete bill," Kirschke said. "First of all, it's missing clarity. A lot of terms in there are not defined, terms like 'substantial manner' or 'substantial harm' or what an 'information system' is comprised of. It's a poor effort by the Senate to understand the threat landscape."

A major issue with the bill is the lack of control over personal information once it is passed to a government agency, Kirschke said. "Once it's deemed appropriate for cybersecurity purposes, there's no limit on what someone can do with it," he said.

The biggest issue is the immunity offered to companies who provide personal information to officials after a breach, Kirschke said.

"I work for a solution provider," he said. "I can take my competitor's network down and have immunity for it. If MasterCard gets pissed at Visa, they can threaten them. This could lead to a lot of playground fights. If I can justify my action as 'good faith efforts,' I can get away with it."

CISA could encourage active collaboration on personal data with the government, Kirschke said.

"If [the Department of Homeland Security] comes to me and asks for information, I can provide it without taking the time to check into the background of how the data will be used because of immunity," he said. "I get the need for sharing. But we need some kind of clearinghouse. This bill is not a step in the right direction."

The Senators should have spent more time in the industry with companies that deal with security issues, Kirschke said.

"Why not put the appropriate data in the public domain and let companies deal with it responsibly?" he said. "Knowledge is power. If you have a public with knowledge, you have a knowledgeable public. We don't need the NSA or the FBI controlling the information. If everyone has the information, they can make the right decisions."

Joe Kadlec, vice president and senior partner at Consiliant Technologies, an Irvine, Calif.-based solution provider, called CISA a "double-edged sword" because of the good and the harm it could do.

Kadlec told CRN he is not happy about the idea of sharing personal information. "I'm all for sharing of information that leads to the arrest of cybercriminals," he said. "But not about turning over private information. It's not always relevant information."

The double-edged sword is the fact that, if certain information can be shared with immunity, a company might just turn all information over, Kadlec said. That, he said, leads to concerns about who gets the information, how well it's protected, and what the government will do with the information once it gets it.

"The majority of our customers, when it comes to their customers' information, don't want to end up on the cover of the Wall Street Journal because of a breach," he said. "And CIOs are concerned about the potential for being personally liable for a breach."

Sarah Kuranda contributed to this story.