Is the cyberthreat information-sharing bill steaming through Congress a privacy disaster waiting to happen?
The Cybersecurity Information Sharing Act gives government agencies and businesses free rein to share information about cyberthreats, presumably the better to go after hackers and prevent data breaches. On its face, given the recent large-scale attacks on JPMorgan Chase, the Office of Personnel Management, the Internal Revenue Service and many others, the idea of better information-sharing to protect customers from data thieves looks good.
But some privacy advocates worry that the bill could do the opposite of what policymakers intended, flushing more of consumers' sensitive information out into the open than ever — and making data crooks' jobs even easier.
In these critics' minds it would encourage businesses to hand over too much personally identifiable information [PII] to government agencies that are ill-equipped to protect it.
"The first problem with CISA is that it has very weak front-end privacy protection," said Robyn Greene, policy counsel, New America's Open Technology Institute, a Washington think tank. "There's a low requirement for companies to remove unnecessary personally identifiable information from the information they want to share with the government."
Under CISA, companies would only be required to remove PII if they know it is not directly related to a threat. The institute's position is that PII should be removed before sharing unless it is necessary to identify or protect against a threat.
"Your personal information is personal and shouldn't be shared with the government or other companies unnecessarily," Greene said.
The bill says information about any cybersecurity threat can be shared "notwithstanding any other provision of law." Privacy advocates consider this too sweeping and vague.
The House and Senate have approved similar versions of the legislation that still need to be reconciled. In a blog posted shortly after passage, Mark M. Jaycox, legislative analyst for the Electronic Frontier Foundation, wrote: "The bill is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities."
One specific privacy worry is that consumers' personal emails and attached files could be circulated broadly as part of crackdowns on phishing or malware attacks. Normally, the government would have to go to court to get a warrant to access this kind of private information. Under CISA, companies would have no liability for sharing this information with law enforcement agencies.
John Carlson, who is vice chair of the Financial Services Sector Coordinating Council, downplays such concerns.
Carlson is also chief of staff of the Financial Services — Information Sharing and Analysis Center, the main clearinghouse for cyberthreat information in the financial industry, and he said cyberthreat-data feeds today do not include personally identifiable information.
"That's something we're very careful about, not sharing PII," he said. "It's more around what are the different types of attacks, what are the malicious IP addresses, malware signatures, what seem to be the motivations that can help others understand how they can protect the institutions and their customers."
The FS-ISAC strips the data of identifying information and sends it back out to all 6,600 members. Most are banks; some are insurance companies, broker-dealers and other kinds of financial institutions.
Greene counters that although the way banks share actionable threat indicators may not include personal information today, "it's hard to know whether or not those discrete entities sharing well-curated threat data will continue to do such a good job curating that data. More people are going to share data under this sweeping authority, and they will not be under the same constraints that the financial services industry has placed on itself. Why do we need to create such a low threshold of protection for PII?"
Another concern is that federal agencies could gain access to consumers' private information "with little fear that such sharing would ever be known to those whose information was shared," a group of college professors wrote in a letter to Congress.
The legislation would let companies do these things "with little fear of legal consequences for poor judgment (or worse)," they wrote.
Carlson argues that CISA's benefits outweigh privacy concerns.
"Some folks in the privacy community are missing the forest for the trees," he said. "The situation we're dealing with today is there are massive amounts of information that are being stolen by various adversaries. We're in a losing battle right now. We need to create an environment in which we can share more information in order to prevent these types of attacks from happening and help victim organizations respond more effectively. Frankly, there is no privacy when massive amounts of information are being stolen and sold for profit or are being acquired by other countries for use in other ways."
That comeback assumes, though, that information-sharing will do the job of increasing security.
Greene argues that it will only compound existing vulnerabilities.
"In the Office of Personnel Management breach, it was not esoteric data being targeted, it was PII," she said. "At the end of the day, the more we incentivize the dissemination of that information, the more we're duplicating how many places that data exists, and that increases the threat landscape. Entities that are not the best stewards of data now have increased quantities of that data. It's a cybersecurity issue and national security issue."
The vague definition of cyberthreats, the large scope of the data being collected, and the mechanisms for sharing data with any federal entity, including those like the OPM and IRS that have been subject to data breaches in recent years, all could undermine national security, Greene contends. The Department of Defense, another entity that could receive this data, has committed privacy violations in the past and been the victim of phishing and cyberattacks, she said.
"We're putting the cart before the horse — we shouldn't be increasing the sharing of this data until we have appropriate receipt and storage of the data," she said.
All things considered, it seems a fair argument that the bill could do more harm than good. Information sharing can be valuable, but the definitions of what can and cannot be shared need to be clear. And those receiving the information need to prove they can protect it and use it responsibly and conscientiously.