With a string of high-profile hacks affecting everyone from Sony Picturesto the insurance company Anthem, there's broad agreement that more needs to be done to secure the internet. On Tuesday, the Senate passed legislation that supporters say will boost internet security by encouraging companies to share information about online threats with one another and with the government. The vote was 74 to 21.
The legislation, the Cybersecurity Information Sharing Act (CISA), is backed by Sen. Richard Burr (R-NC), chair of the Senate Intelligence Committee, and the committee's top Democrat, Sen. Dianne Feinstein (D-CA). The House of Representatives has already passed companion legislation, and the bill has support from the Obama administration. The only remaining steps are for the House and Senate to reconcile the differences between their bills — and for President Obama to sign the compromise.
But there's something strange about this supposed cybersecurity legislation. It doesn't have much support among security experts in the private sector. And two leading technology industry trade groups — representing giants like Google, Apple, and Microsoft that are targeted by hackers more than anyone else on the internet — oppose it.
Indeed, support for the legislation seems to have come mostly from US intelligence agencies, which would gain access to even more information about Americans' online activities. It's not clear how much CISA would expand government surveillance of Americans' online activities, but critics say the broad information-sharing language in the legislation creates a privacy menace that far outweighs any benefits from increased online security.
CISA supporters say more information sharing is needed to secure the internet
CISA supporters say government agencies would be better able to help private companies secure their networks if they had access to more data about online threats. If a private company detects suspicious activity on its network, the theory goes, it could provide information to the Department of Homeland Security (DHS), which could warn administrators at other companies to be on the lookout.
The problem, CISA supporters argue, is that companies are reluctant to do this because they're afraid they'll run afoul of privacy laws. If companies start sharing detailed information about suspected attacks, they'll occasionally — and inadvertently — disclose personal information about their users.
To solve this alleged problem, CISA would grant companies broad immunity from privacy laws when they share cybersecurity-related information with the Department of Homeland Security. That's good for government agencies because it will give them access to more data. And much of corporate America likes the idea of getting immunity from lawsuits.
There's not much evidence CISA is solving a real problem
It's far from clear that privacy laws are actually hampering efforts to beef up the internet's defenses. I've been covering the debate over information-sharing legislation for more than three years, and I have yet to see a clear example where more information sharing could have thwarted an attack.
Companies already share a fair amount of information — with one another and with the federal government — about online attacks, and there's no evidence that these companies have run afoul of privacy laws. The security information that companies share right now tends to be carefully curated by security experts. These experts write reports that succinctly provide technical details about an emerging threat, without including any users' personal information.
CISA advocates envision a more ambitious system in which companies provide an automated, 24/7 stream of data about suspicious activity on their networks. In theory, the US government could create a vast database of network activity across the internet and use it to detect emerging threats. The volume of data being shared in this scenario would be so large that it wouldn't be possible for human beings to review it all and make sure private user data isn't inadvertently shared with the government.
But critics have questioned whether this ambitious strategy will actually prove effective. "Companies like IBM and Dell SecureWorks already have massive 'cybersecurity information sharing' systems where they hoover up large quantities of threat information from their customers," wrote security expert Robert Graham in a blog post earlier this year. "This rarely allows them to prevent attacks as the CISA bill promises. In other words, we’ve tried the CISA experiment, and we know it doesn’t really work."
"There are almost no security experts who believe that information sharing is the crucial bottleneck" for securing networks, Eli Dourado, a researcher at the Mercatus Center at George Mason University, told me last week.
Critics say CISA is really about expanded government surveillance
Opponents of CISA argue that it's not really a cybersecurity bill at all. Instead, they say it's an effort by intelligence agencies to further expand their surveillance capabilities.
"This is coming out of the Senate Intelligence Committee, not the Commerce or Homeland Security Committees," Dourado said. While many companies are happy to have expanded liability protections, he says, "I don't hear very much arguing outside of the Intelligence Committee that we need this for cybersecurity."
CISA puts the Department of Homeland Security in charge of the information-sharing program, but it also gives the agency broad discretion to share data with other government agencies — including intelligence agencies like the NSA and CIA. Critics worry that the information-sharing program would become yet another way for the NSA to spy on Americans.
Indeed, while much of corporate America has been supportive of CISA, the technology industry has been more skeptical. Two major tech industry trade groups, the Computer and Communications Industry Association (which counts internet giants Google, Facebook, and Amazon among its members) and BSA (representing major software vendors such as Microsoft, Apple, and Oracle), are opposing CISA.
"CISA’s prescribed mechanism for sharing of cyber threat information does not sufficiently protect users’ privacy or appropriately limit the permissible uses of information shared with the government," CCIA said in a blog post last week.