Explanation of CISA and its Negative Impacts to Cybersecurity and the American People’s Rights and Privacy

Abstract

This paper explains and explores the negative impacts of the Cybersecurity Information Sharing Act known as CISA.  It outlines what the new law contains in regards to cybersecurity threat sharing between the Federal Government of The United States of America and private companies.  The controversies around CISA are discussed and they include: lack of privacy in information sharing, surveillance, Fourth Amendment rights put forth by the United States Constitution, defensive countermeasures, the use of shared personal information for prosecution, the disregard CISA has for current laws and programs, and CISA’s inability to stop cybersecurity threats.  Additionally a number of alternatives to CISA are explored.  These recommendations include: vulnerability buybacks, reformation of current laws, the Federal Government’s embrace and support of end-to-end encryption, and maintaining the status quo of cybersecurity innovation.

Keywords: CISA, cybersecurity, surveillance, privacy, Government

Table of Contents

CISA the Law

Federal Agencies Involved

Title I

Sections 101 Through 103

Section 104

Section 105

Section 106

Section 107

Sections 108 and 109

Section 110

The Controversies of CISA

Private Information Sharing

Surveillance

Other Non-Cybercrimes

The Fourth Amendment

Countermeasures

The FCC and FTC

US-CERT

Alternatives to CISA

Vulnerability Buybacks

Legal Reform

Maintain the Status Quo

Encryption

Conclusion

References

The Cybersecurity Information Sharing Act known as CISA is a highly controversial law.  CISA aims to develop information sharing between companies and the Federal Government in order to protect cybersecurity.  The main problem with CISA is the fact that personal and private user information could be shared with the government.  This would be shared without a need for a warrant and could not only be used for cybersecurity, but to prosecute other crimes that are unrelated to cybersecurity.  CISA is not only a violation of American’s privacy, but it opens a door to mass surveillance by the American Government.  Added to all of this is the problem that CISA will not actually stop cyber threats or enhance cybersecurity and does nothing to add to, but can potentially hinder cybersecurity programs that are already in place.  CISA is a law that will not effectively protect America from cybersecurity threats, but instead it allows the American Government to spy on and ignore laws that protect the American People.

CISA the Law

CISA was introduced to congress on March 17, 2015, sponsored by Senator Richard Burr of North Carolina.  The primary mission of CISA is to create a law that facilitates the sharing of cybersecurity information between federal agencies, non-federal governments, and private entities.  The purpose of this being to detect, prevent, or mitigate cyber security threats, risks, and vulnerabilities.  CISA also has a liability waiver built into it, which would protect companies from being sued for voluntarily sharing information with the government and acting defensively.  Also, with written consent private companies or the government can operate defensive measures on another entity’s information systems.  CISA allows the cybersecurity information obtained to be used for certain purposes such as: serious threats, imminent threats, or threats to a minor.  CISA restricts the crimes that can be prosecuted with this information as: fraud and identity theft, espionage, censorship, trade secrets, imminent threat of death, serious bodily harm, serious economic harm, terrorism, or use of a weapon of mass destruction (Sen. Burr, 2015).

Federal Agencies Involved

CISA calls on a number of federal agencies to assist with its implementation and operation.  The Department of Homeland Security is instructed to create a system to detect cybersecurity risks in the network in which information is shared and to prevent or modify the traffic to remove cybersecurity risks.  It is also the agency that will notify other agencies of a cybersecurity threat, vulnerability, or intrusion and issue emergency directives.  The Department of Homeland Security will also be the one to authorize intrusion detection and prevention in order to secure the threatened agencies.  Another responsibility the Department of Homeland Security is given is the development of a strategy to guarantee there will not be a catastrophic regional or national effect on public health, safety, the economy, or our nation’s security.

The Department of State is another agency that is given new responsibilities.  The Department of State will be in charge of developing a diplomatic strategy in order to create agreements on international activity in cyberspace.  This will be done in order to make a way for the Department of State to consult with foreign governments regarding prosecution and the prevention of cybercrimes, as well as intellectual property crimes.

A separate agency called the National Cybersecurity and Communications Integration Center will create a nationwide strategy and process that coordinates the reporting of incidents or risks which threaten the networks that are used by emergency response providers.  The Department of Health and Human Services is also impacted by CISA.   CISA requests that the Department of Health and Human Services creates a special, centralized task force within the department, specifically designed for Cybersecurity.  This task force will plan and strategize a centralized single system for the government to share information about cybersecurity threats to the health care industry.  The task force will also develop and recommend ways for medical networks, devices, and health records to be protected.  Due to the fact that CISA is pulling in so many agencies and departments within the Federal Government, CISA authorizes these federal agencies to find gaps in their workforce where skill is lacking, which simple means: hire more people (Sen. Burr, 2015).

Title I

CISA is divided into four titles. Title I deals with cybersecurity information sharing, the root of CISA itself.  Title II is Federal Cybersecurity Enhancement, which handles improving the Federal Government’s cyber defenses.  Title III – Federal Cybersecurity Workforce Assessment, which assess how to go about identifying hiring needs to support CISA.  The final title is Title IV- Other Cyber Matters.  This one focuses on policies and studies such as studying the effects of cybersecurity in the health industry or on mobile devices.  It also sets up the strategies to defend against cybersecurity risks and to prosecute cybercriminals (Sen. Burr, 2015).  The primary focus of this paper will be on Title I since that is the portion that contains the most controversial content (Sen. Burr, 2015).

Sections 101 Through 103

Title I of CISA is divided into sections, 101 through 110.  Sections 101-102 are the short title and the definitions of the terminology.  Section 103 defines how the Federal Government will share information within itself.  This section explains that the government will have to share information in a “timely” manner with relevant entities.  Basically, it says that if there is a cybersecurity risk the government needs to notify the affected entity quickly.  It also adds that notifying the public will also be allowed, but only if the information is unclassified.  It is also in this section where CISA outlines the development of procedures for the government to share information.  For example it states that there should be a way to review and assess the data and remove personal information that does not relate to a cybersecurity threat known at the time (Sen. Burr, 2015).

Section 104

Section 104 is titled: Authorizations for Preventing, Detecting, Analyzing, and Mitigating Cybersecurity Threats.  This section does give authorization for any private entity to monitor any information system of any other entity with written consent.  In addition to this, any private entity can operate defensive measures for cybersecurity threats with written consent.  Section 104 also outlines that entities participating in sharing and implementing defenses with other entities need to setup protections against unauthorized access to the information.  This section also allows for oral consent versus written consent for private entities to assist other entities in implementing defenses (Sen. Burr, 2015).

Section 105

Section 105 is similar to 103, but it is opposite, meaning, it focuses on entities sharing information with the Federal Government.  One of the requirements this sets up is the creation of automated information sharing with real-time data.  There also has to be audit capabilities built into the systems that are used for sharing information, as well as the retention of records. This section also sets up guidelines for entities that are nearly the same as in section 103.  One of these is that personal information should be removed if it is believed to not be related to the cybersecurity threat at the time of sharing.   Section 105 also talks about privacy and civil liberties.  CISA will address these two issues by enforcing the need to remove personal data if it is believed, at the time of sharing, to be unrelated to the cybersecurity threat.  There will be retention periods also, meaning data that is shared has to be destroyed if not used after a certain time period.  While being stored it will also be considered confidential.  CISA will also require the Attorney General to audit federal and certain private entities every two years for any infraction of retention or data scrubbing or sharing.  Section 105 does also clarify that the information shared with the Federal Government will not be a hedge or protection to entities for unlawful activities. For entities sharing cyber threat indicators or defensive measures with the Federal Government, the shared information will remain proprietary to that entity.  It also goes onto say that the information shared with the government is deemed voluntary and thus it will be exempt from disclosure to the public or other entities (Sen. Burr, 2015).

Section 106

The next section, 106, is Protection from Liability.  Section 106 is short, but very important since it protects companies from being sued for sharing information.  All entities involved with the sharing of cybersecurity information have to follow the data scrubbing rules, and other policies created by CISA in order to be protected by CISA.  If someone does sue an entity for participating in cybersecurity threat indicator sharing, there would have to be very obvious flaws in the data scrubbing of the entity being sued.  Even then, it would be very difficult since the section clearly states: “No cause of action shall lie or be maintained in any court against any entity, and such action shall be promptly dismissed, for the sharing or receipt of cyber threat indicators or defensive measures…” (Sen. Burr, 2015).

Section 107

Section 107 outlines government oversight and the checks and balances that will be put into place for CISA.  Government entities will have to report to the Attorney General, Homeland Security, the Department of Justice, the Department of Defense, and Congress.  These reports will be audits, implementation reports, and operational reports.  Privacy and civil liberties, efficiency, and effectiveness will all be evaluated (Sen. Burr, 2015).

Sections 108 and 109

Sections 108 and 109, specifically state what CISA will not do and what needs to happen after CISA is passed.  CISA is not meant to be a law that is used to supersede future contractual agreements, monopolize a market or boycott entities, crate immunity from federal laws, add or take way from whistle blower protections, or prohibit lawful disclosures of information sharing (Sen. Burr, 2015).

Section 110

The final section of CISA is Section 110, the Conforming Amendment, which amends section 941(c)(3) of the National Defense Authorization Act of 2013.  This amendment authorizes the Secretary of Defense to share information with other federal entities.  It also notes that the information shared has to be consistent with CISA’s definition of a cybersecurity threat indicator and defensive measures.  The information sharing also has to align with the policies and procedures of the Attorney General’s Office as well as the Department of Homeland Security as outlined by CISA (Sen. Burr, 2015).

The Controversies of CISA

CISA has many points and is very lengthy. Although CISA attempts to make the United States’ cybersecurity stronger, there are many sacrifices, compromises, and shortcomings baked into this law.  The three primary reasons for CISA being controversial are its ability for the government to collect more data on citizens, its inability to actually stop or prevent cyberattacks, and its disregard and supersedence of current laws and warrants.

Private Information Sharing

Many critics of CISA believe that CISA will create a large backdoor into people’s private lives.  This is done by the collection of large amounts of data that will be sent to the Federal Government.  CISA also creates loopholes for surveillance on innocent citizens.  Senator Burr says that the information being shared is only done so because of cybersecurity threat indicators, however there is wording in CISA where it will require companies to share information regarding imminent harm such as terrorist attacks, violent crimes, and weapons of mass destruction.  However, due to the vagueness of the wording, it is possible for the government to manipulate CISA in order to collect personal and private information (Greenberg, 2015).

CISA authorizes excessive personal and private information sharing.  CISA does not define the term “cybersecurity threat” very well.  It defines it as an “unauthorized effort to adversely impact” an information system and or information that exists on a network.  This is very broad and would allow many companies to share personal information with the government.  This could lead to a large amount of information sharing.  CISA defines what information can be shared within a cybersecurity threat indicator.  This includes “information that is necessary to describe or identify” any “attribute of a cybersecurity threat”.  There is an issue with the wording here.  “Describe” and “attribute” of a threat could be interpreted many different ways and is broad enough to include personally identifiable information, including the actual contents of a private communication.  These are not necessarily needed to protect against threats, but CISA does not specifically define this (Greene, Cybersecurity Information Sharing Act of 2015 Is CyberSurveillance, 2015).

Since CISA says companies have to remove personal information if they “know” it is not “directly related” to a cybersecurity threat indicator, many companies may default to sharing this information.  This is mostly because companies do not have a one hundred percent guarantee that personal information is or isn’t related to a cybersecurity threat.  This information would not only include personal identifiers, but it could contain contacts and connections to other people.  This is a very weak requirement of CISA since this would allow information to not only be shared to the Department of Homeland Security, but also be disseminated to other government agencies, including law enforcement (Greene, Cybersecurity Information Sharing Act of 2015 Is CyberSurveillance, 2015).

CISA requires the Department of Homeland Security to automatically and immediately share information in real-time to any federal agency.  These agencies include the Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI,) Department of Commerce, and the National Security Agency (NSA).  The incentive for companies to share this information with the Department of Homeland Security would be that they are no longer liable for sharing information that their privacy policies would prohibit according to their user agreements.  This would mean a user whose information was shared with the government, cannot sue the company that shared the information, even if the user agreement stated they do not share information.

On top of this CISA states the Department of Homeland Security cannot do anything to impede the real-time dissemination of the information that is being shared.  What this translates to is the inability for the Department of Homeland Security to properly re-evaluate the information a second time to make sure there isn’t any non-pertinent personal information included in the cybersecurity threat indicator before sending the information to other government agencies.  Not only is this not a responsible way to handle information, but it opens the door to so many errors and unethical decisions due to the amount of information the Department of Homeland Security will be receiving.  What is a bit more disturbing is that CISA does allow companies to bypass the Department of Homeland Security and share information directly with other agencies such as the FBI, CIA, or NSA.  The only thing that may stop companies from doing this is the fact that they no longer get liability protections for bypassing the Department of Homeland Security.

The entire point of CISA having companies send information to the Department of Homeland Security was because it is a civilian agency, not law enforcement or military.  However, because CISA demands there should be no impediment to the real-time dissemination of this information to military and law enforcement agencies there is almost no point in having the Department of Homeland Security involved.  The Department of Homeland Security should have much more power in determining when, where, and if the cybersecurity threat indicators be shared with other agencies (Greene, Cybersecurity Information Sharing Act of 2015 Is CyberSurveillance, 2015).

Surveillance

Many would argue that CISA is not merely a cybersecurity law, but a surveillance law that gives the government unrestricted access to the American People’s daily lives.  The main reason for this is that it will allow information to be shared with the NSA and not have to be screened by the Department of Homeland Security.  Also, CISA does not prohibit the use of this information for surveillance.  CISA does not have limitations on the government to only use this information for cybersecurity purposes.  Additionally the scrubbing feature has been made optional as long as the information being shared could possibly be related to a cybersecurity threat indicator, with very little penalty enforcement for failing to scrub if it is not (Masnick, Congress Drops All Pretense: Quietly Turns CISA Into A Full On Surveillance Bill, 2015).

Senator Ron Wyden of Oregon is very much against CISA and has spoken against it as a surveillance bill:

Cyber-attacks and hacking against U.S. companies and networks are a serious problem for the American economy and for our national security. It makes sense to encourage private firms to share information about cybersecurity threats. But this information sharing is only acceptable if there are strong protections for the privacy rights of law-abiding American citizens. If information-sharing legislation does not include adequate privacy protections then that’s not a cybersecurity bill – it’s a surveillance bill by another name.  The most effective way to protect cybersecurity is by ensuring network owners take responsibility for security. Strong cybersecurity legislation should make clear that government agencies cannot order U.S. hardware and software companies to build weaker products, as senior FBI officials have proposed.  I am concerned that the bill the U.S. Senate Select Committee on Intelligence reported today lacks adequate protections for the privacy rights of American consumers, and that it will have a limited impact on U.S. cybersecurity.  (Sen. Wyden, 2015).

Due to the broad and unspecific language in CISA, the United States government does have authority to use surveillance under the guise of cybersecurity without the courts’ interference.  This could also lead to the abuse of information sharing and CISA as means to be even more intrusive into the public’s lives, which has been demonstrated by the NSA already (Masnick, Why The New CISA Is So Bad For Privacy, 2015).

To the American public, government surveillance is a very real thing.  In 2013 the NSA was revealed to have been collecting telephony data on innocent American citizens in bulk.  Additionally the NSA ran a program called PRISM, which extended the electronic surveillance of the American People to other digital records.  CISA completely ignores these concerns, and actually gives more information to the government, including the NSA, all in real-time.  Many feel that congress is not working to benefit the public with CISA, but instead is handing over privacy rights to law enforcement and intelligence agencies (Greene, coalition letter from 55 civil Society Groups, Security Experts, and academics opposing cisa, 2015).

Other Non-Cybercrimes

CISA not only allows this information to be shared for cybersecurity purposes, but also for other law enforcement assistance purposes.  This includes gathering evidence for investigations and prosecutions for any of the crimes listed in the law enforcement use portion of CISA.  Not all of these crimes are related to cybersecurity.  This would negate the use of a warrant or subpoena to gather personal information in order to prove someone guilty of a crime, which are there to protect innocent people (Greene, Cybersecurity Information Sharing Act of 2015 Is CyberSurveillance, 2015).

CISA does not do a good job at limiting what shared cybersecurity can be used for in regards to law enforcement investigations.  There is a wide array of garden-variety crimes that can be investigated using the information gathered and shared throughout the government.  According to CISA, any shared information that could be related to crimes that could result in the imminent death, serious bodily harm, or even serious economic harm, could be used to prosecute or investigate an individual.  This could translate to law enforcement using this information to prosecute for crimes such as carjacking, robbery, arson, use of firearms, ID fraud, and espionage.  It may seem like a good thing to stop these crimes, which it is, but the problem with CISA is it’s supposed to be for cybersecurity only, and these crimes have very little to do with cybersecurity.  This essentially is a blank check for the surveillance of all Americans.  CISA does not clearly define a specific set of computer related crimes, instead it allows a huge breadth of different crimes to be prosecuted and investigated with shared data.  CISA is much more than a cybersecurity bill; it is a surveillance bill that allows the United States government to ignore the Fourth Amendment and spy on its people, without reasonable cause and without proper checks or safeguards against corrupt and deceptive use of the information being shared (Greene, Cybersecurity Information Sharing Act of 2015 Is CyberSurveillance, 2015).

CISA could be used to over broaden law enforcement’s power and authority.  There is no lack of use limitations, again due to CISA’s vague and broad terminology.  In essence CISA contains loopholes for backdoors, searches, and seizures of American’s digital communications and files without a warrant.  Additionally, CISA undermines the Espionage Act due to the fact CISA allows the creation and operation of overboard information and intelligence collection programs (Greene, coalition letter from 55 civil Society Groups, Security Experts, and academics opposing cisa, 2015).

In the past, the NSA used laws that allowed them to stop acts of terrorism in order to spy on the American People by using upstream surveillance.  This could continue without any way of stopping it because of CISA.  If law enforcement used shared data to prosecute someone there would be no way of knowing where they got the data.  Data shared with CISA is exempt from the Freedom of Information ACT.  This means the data and the means of collection do not have to be completely disclosed in the courts (Greer & Shaw, 2015).  This is extremely disturbing due to the fact that the Freedom of Information Act not only was passed to stop government corruption, but also to support American’s constitutional rights, in this case the Fourth Amendment.

The Fourth Amendment

One of the most glaring problems with CISA is the fact that it ignores the Fourth Amendment of the United States Constitution, and provides reasoning and arguments to circumvent its authority.  The Fourth Amendments states:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.  (Mount, 2010).

The Fourth Amendment is the primary law that requires law enforcement to have a warrant issued in order to search or seize privately owned property.  CISA will allow companies to share people’s information with the government, without a need for a warrant regardless of any type of end user license agreement or EULA.  There is also nothing preventing the government to use that data against someone in court, which would normally take a warrant to do.  According to the Fourth Amendment a warrant also has to be issued if there is “probable cause”, meaning a judge has to decide if law enforcement has enough of a reason to search private property.  If the judge finds that they do have probable cause, the judge will sign the warrant.  Warrants are a protection for citizens and CISA removes that barrier by removing the need to have a warrant, which means the courts are not involved.  Courts are meant to interpret the law and protect people’s rights as Americans.  CISA doesn’t care about American’s rights, because it removes the very branch of government that was designed to contemplate when someone’s rights are to be taken away, which would be the courts’ decision.

Countermeasures

CISA authorizes countermeasures for private entities to not only defend against cyberattacks, but partake in retaliation.  CISA does say that these countermeasures must be implemented on an entity’s own information system; however there could be some impacts outside of a private entity’s own information system. These defensive measures are defined by CISA to be limited to not “destroy, render unusable, or substantially harm” another entity’s information system or data on their own system.  This definition is still too broad because it does not define what substantial harm is.  Companies could cause users considerable problems if they were to deploy the defensive measures CISA is authorizing.  This is very reckless since it could harm many innocent bystanders, including other entities such as hospitals, Fortune 500 businesses, energy companies, governments, and any other innocent third parties that hackers could uses as proxies to hide behind.  CISA would not only ignore the Computer Fraud and Abuse Act’s prohibition against these kinds of activates, but it also compromises the safety and security of people and the internet (Greene, coalition letter from 55 civil Society Groups, Security Experts, and academics opposing cisa, 2015). Yet, these could still be within CISA’s authorization.  However, this authorization seems a bit pointless, because companies are already allowed to defend their own systems.

Right now most Internet Service Providers (ISPs) are allowed, by federal law, to monitor traffic on their network for threats against their own system. Companies are allowed to setup firewalls, block malicious IP addresses, scan the network for malicious code, create honeypots, and create white lists to only allow authorized users access.  However, with CISA, companies including ISPs are allowed to monitor all their traffic on their network, looking for any threat to any system, not just their own.  This means every user will become a target for monitoring and not just those who generate suspicious traffic.  This is a major increase in the scope of user monitoring.  American’s privacy will be nonexistent with CISA.

The Electronic Communications Privacy Act or ECPA which grants companies authority to monitor their traffic in order to protect against their own system, is another of the many laws that CISA violates.  CISA provides a blanket authorization for companies to invade their users’ privacy for any cybersecurity purpose.  On top of this there is zero liability that will be placed on companies for sharing information unless there are strong signs of negligence, but even then it will be difficult for a user to fight a company and the government in a legal battle.  Again, this is in violation of current laws (Greene, Cybersecurity Information Sharing Act of 2015 Is CyberSurveillance, 2015).

This begs the question as to what is the point of these broad and dangerous defensive measures since there is very little reward compared to what can already be accomplished without them.  What is even more unsettling is that CISA specifically says defensive measures should not be interpreted as limiting the authority of the Secretary of Defense to create, implement, and conduct military cyber operations when directed by the President of the United States.  This is very disturbing because it opens a big door of opportunity for the government to continue to spy on the American People, as well as sabotage firmware, undermine encryption, and deploy cyber weapons that negatively impact the internet and computing environments (Greene, Cybersecurity Information Sharing Act of 2015 Is CyberSurveillance, 2015).

The FCC and FTC

The Federal Communications Commission (FCC) and the Federal Trade Commission (FTC) are in charge of regulating consumer privacy.  In 2015 the FCC created the Open Internet Order that categorized the internet as a Title II service which enforces network neutrality.  This was meant to protect consumers not only from unfair practices by companies, but also from privacy invasion and information sharing between companies.  CISA will take what the FCC and FTC have already accomplished, and remove large parts of it and hand it to Homeland Security.  Companies no longer are bound to what the FCC and FTC categorize as privacy intrusion as long as the data shared may possibly be construed as a cybersecurity threat indicator.  The FCC and FTC allow ISPs and other providers to monitor their own system to protect against cybersecurity threats, but CISA is essentially taking over this role and declawing the FCC and FTC when it comes to reprimanding companies for violating users’ privacy (Granick, 2015).

US-CERT

In 2003 the Department of Homeland Security launched US-CERT which stands for United States Computer Emergency Readiness Team.  This team collects, analyzes, disseminates, and responds to cybersecurity information shared among government agencies, the private sector, and research institutions.  In all honesty this is essentially what CISA aims to accomplish, so what is the point of CISA?   CISA does not address some of the main issues that enable hackers to steal data.  These issues include: outdated software, malware, and weak encryption for files and systems.  Also, CISA is supposed to be mostly voluntary, so if there aren’t enough participants, the program can’t accomplish its goals.  But again, what is the point of CISA?  The US-CERT is not as controversial as CISA, CISA doesn’t address the root causes of cyberattacks, and it is voluntary.  Perhaps the biggest accomplishment of CISA is that it paves a way for mass information collection and surveillance as Senator Wyden believes (Greenemeier, 2015).  It may sound like a conspiracy theory, but this is exactly what the controversy over CISA is about.

Some government and security officials also made statements to the effect that too much data could actually hinder government agencies from operating efficiently as well as hindering defense activities (Greene, coalition letter from 55 civil Society Groups, Security Experts, and academics opposing cisa, 2015)  The large volume of data could overwhelm government agencies and could result in data not even being analyzed, which could cause actual threats to go overlooked.  CISA may also lead to the sharing of more false positives, rather than actual threats.  On top of this, most skilled hackers know how to evade detection and avoid setting off triggers (Greenberg, 2015).  This is the nature of cybersecurity, it is always changing and criminals are always adapting.  The truth of the matter is that governments are only a small part of cybersecurity innovation.  Private companies, nonprofits, and universities also play a big role in cybersecurity innovation.  By implementing CISA, data shared by entities is all going to the government, which could end up taking away the need and drive for companies to innovate against cybersecurity attacks and rely upon federal agencies to handle threats.  This is only one of the many reasons why CISA is not good for cybersecurity.  Fortunately, there are some great ideas out there which would help improve cybersecurity without destroying users’ privacy.

Alternatives to CISA

CISA is not the answer to cybersecurity for the United States.  There are much better solutions that can address the root cause of vulnerabilities which hackers exploit.  There are a great number of things the Federal Government can do to help private companies improve the security of their information systems without compromising current laws and spying on the American People.

Vulnerability Buybacks

One solution would be to create incentives for vulnerability buybacks.  Many companies already hire or contract vendors to hack their information systems and find vulnerabilities and then report their findings in order to secure their systems.  This is great for companies; however it does not address rogue hackers.  Hackers who get into companies’ information systems tend to take information and sell it for profit.  Recently, companies such as United Airlines have created information buyback programs or “bug bounties” in order to secure the information and also learn how to better protect their system.  This incentivizes hackers to not sell the information on the black market, but to assist the company while still making money.  The government could help by either giving grants to private companies or by allowing tax write-offs for these buybacks.  This will encourage companies to create buyback programs and secure their systems (Waddell, 2015).

Legal Reform

In order to implement these buybacks there needs to be clarification and a trimming back of current anti-hacking laws.  One such law is the Computer Fraud and Abuse Act.  One of the goals of this law was to make a way for the prosecution of hackers.  However, this law allows the prosecution of any hacker into any protected computer system.  Those who criticize the law, mostly technology privacy activists, say that it discourages and inhibits legitimate and effective information system security research.  There have been a few proposals by lawmakers to allow for legitimate hacking.  One such law that was proposed was Aaron’s law.  It was named after a security researcher named Aaron, who took his own life when he was charged with data theft, even though his motives were legitimate and aimed at improving cybersecurity.  Aaron’s law was going to clarify what activities were considered lawful and unlawful when it came to researching vulnerabilities in private and public systems.  While this type of legislation would help create a platform to help improve cybersecurity, it was not passed (Waddell, 2015).

Maintain the Status Quo

Another recommendation to strength cybersecurity may seem very abstract, and that would be for the government to do nothing at all.  The current status quo of cybersecurity is quite innovative and fast moving.  Internet security is mostly made up of decentralized ad-hoc partnerships and affiliations.  These affiliations are made up of security experts and organizations that maintain internet security.  These produce high standards of security without any governmental oversight or hierarchy that controls security.  Computer Security Incident Response Teams or CSIRTs are the ones who monitor online traffic, identify threats and vulnerabilities, and find solutions to problems.  CSIRTs are not centralized entities, but they can exist within many organizations including: private companies, government agencies, nonprofits, and universities.  These are naturally occurring entities that developed with the growth of the internet.  The current seamless operation of the global internet is based upon its decentralized, polycentric communications organization.  This decentralized nature allows for CSIRTs to act quickly in the event of a threat or intrusion.  If there were to be a centralized cybersecurity monitoring entity, which is what CISA would help to create, it would actually be counterintuitive to the very nature of the internet itself.  Most governments have never undertaken such a huge task such as this because the bulk of cybersecurity is done by CSIRTs; which are mostly in the private sector and not the Federal Government.  Government agencies need to empower companies to protect themselves and their users from cybersecurity threats and privacy invasion, not do it for them (Hagemann, 2015).

Encryption

The Federal Government should support encryption, instead of criticize it.  The recent events between Apple and the FBI have brought encryption to the public eye.  Although, with this case a federal court ordered Apple to assist the FBI in accessing an iPhone which belonged to someone who committed a terrible crime.  This alone is causing controversy about the power of the courts and the power of a warrant.  However, separate form this; encryption should be encouraged for private and public companies to secure their networks and data.  By encrypting and securing data hackers would be less likely to break into a system and take data.  This would protect people and their privacy, which is the fundamental principle of cybersecurity.  What CISA wants to do is not necessarily improve cybersecurity by locking down systems, but instead collect information and give it to the government to handle.  This essentially lets companies off the hook for creating secure information systems, by not really giving them any consequences for having weak cybersecurity.  Additionally it threatens users’ privacy all for the sake of the government protecting itself and companies, not people (Waddell, 2015).

Conclusion

CISA is a law that will not effectively protect America from cybersecurity threats, but instead it allows the American Government to spy on and ignore laws that protect the American People.  It has glaring issues that are poorly executed.  These issues include: its inability to actually stop cybersecurity threats and its broad and vague language which allows law enforcement to forego the need for a warrant, which is a guaranteed right by the United States Constitution.  The American People will not only be exposed to largescale government surveillance, but also to the reckless use of their personal and private information.  CISA threatens the internet and the freedom it has created.  This controversial and dangerous law must be reversed in order to keep cyberspace secure and obey the rights of the American People.

References

Granick, J. (2015, December 16). OmniCISA Pits DHS Against the FCC and FTC on User Privacy . Retrieved from Just Security: https://www.justsecurity.org/28386/omnicisa-pits-government-against-self-privacy/

Greenberg, A. (2015, 03 20). CISA Security Bill: An F for Security but an A+ for Spying. Retrieved from WIRED: http://www.wired.com/2015/03/cisa-security-bill-gets-f-security-spying/

Greene, R. (2015, April 21). coalition letter from 55 civil Society Groups, Security Experts, and Academics Opposing CISA. Retrieved from Open Technology Institute: https://www.newamerica.org/oti/coalition-letter-from-55-civil-society-groups-security-experts-and-academics-opposing-cisa/

Greene, R. (2015, April 9). Cybersecurity Information Sharing Act of 2015 Is CyberSurveillance. Retrieved from New America: https://static.newamerica.org/attachments/2741-cybersecurity-information-sharing-act-of-2015-is-cyber-surveillance-not-cybersecurity/CISA_Cyber-Surveillance.488b3a9d2da64a27a9f6f53b38beb575.pdf

Greenemeier, L. (2015, October 28). A Quick Guide to the Senate’s Newly Passed Cybersecurity Bill. Retrieved from Scientific American: http://www.scientificamerican.com/article/a-quick-guide-to-the-senate-s-newly-passed-cybersecurity-bill/

Greer, E., & Shaw, D. (2015, July 29). CISA: the dirty deal between Google and the NSA that no one is talking about. Retrieved from The Hill: http://thehill.com/blogs/congress-blog/technology/249521-cisa-the-dirty-deal-between-google-and-the-nsa-that-no-one-is

Hagemann, R. (2015, June 24). We Don’t Need CISA – The Status Quo Will Suffice. Retrieved from Niskanen Center: https://niskanencenter.org/blog/we-dont-need-cisa-the-status-quo-will-suffice/

Masnick, M. (2015, December 15). Congress Drops All Pretense: Quietly Turns CISA Into A Full On Surveillance Bill. Retrieved from Techdirt: https://www.techdirt.com/articles/20151215/06470133083/congress-drops-all-pretense-quietly-turns-cisa-into-full-surveillance-bill.shtml

Masnick, M. (2015, December 17). Why The New CISA Is So Bad For Privacy. Retrieved from Techdirt: https://www.techdirt.com/articles/20151217/07303933108/why-new-cisa-is-so-bad-privacy.shtml

Mount, S. (2010, January 10). U.S. Constitution – Amendment 4. Retrieved from U.S. Constitution: http://www.usconstitution.net/xconst_Am4.html

Sen. Burr, R. (2015, 3 17). S.754 – Cybersecurity Information Sharing Act of 2015. Retrieved from Congress.Gov: https://www.congress.gov/bill/114th-congress/senate-bill/754

Sen. Wyden, R. (2015, March 12). Wyden: Cybersecurity Bill Lacks Privacy Protections, Doesn’t Secure Networks. Retrieved from Ron Wyden Senator For Oregon: https://www.wyden.senate.gov/news/press-releases/wyden-cybersecurity-bill-lacks-privacy-protections-doesnt-secure-networks

Waddell, K. (2015, September 8). Three Cybersecurity Alternatives if CISA Fails. Retrieved from Nextgov: http://www.nextgov.com/cybersecurity/2015/09/three-cybersecurity-alternatives-if-cisa-fails/120449/