Analytics
10/28/2015
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

5 Things To Know About CISA

Despite criticism from privacy advocates, the Cybersecurity Information Sharing Act passed through the Senate yesterday.

Yesterday, S. 754, the Cybersecurity Information Sharing Act (CISA) passed through the Senate, despite protests from privacy advocates and many information security and technology companies. A related bill passed through the House earlier this year; now CISA will go through a conference stage before heading to the President.

It's not a law yet, but here are a few things to know about CISA, going forward.

1. Not all tech companies are against it

There was a big push against CISA by privacy advocates, some tech giants -- including Apple, DropBox, Salesforce, and Twitter -- and many infosec experts. Yet, it garnered support by other security pros, particularly those in the threat intelligence space.

CISA encourages private organizations to share indicators of compromise or other information related to cybersecurity by allowing them to share threat and compromise data without fear of legal liability, public exposure or the anti-trust complications that may arise from sharing info with competitors.

Paul Kurtz, former cybersecurity advisor to the White House and CEO of threat intelligence and information sharing start-up TruSTAR, called the Senate's passage of CISA "an important step forward in addressing the ongoing cyber security crisis. ... This bill will provide important liability protections for companies that choose to exchange cybersecurity threat information. However, we have also heard the message loud and clear that information sharing efforts must not cost us our privacy. Now that government has played its role by removing legal obstacles to cyber incident collaboration, it is time for industry to work together to create a privacy-preserving information sharing infrastructure.”

"The [threat intelligence] market has improved at sharing intelligence, but there are some inherent constraints that, absent some kind of an agreement like this, will unlikely be removed.” says Chris Petersen, senior vice president of products, CTO and co-founder at LogRhythm. “To make this work effectively, we need some formal agreement between the public and private sectors on steps each sector can take."

The Health Information Trust Alliance (HITRUST) also stated today it supports CISA, noting that it wouldn't support just any info-sharing legislation, and had "opposed any amendment that would weaken significant provisions including the need to safeguard privacy and civil liberties or weaken liability protection for information sharing."

2. It's been called a 'surveillance bill'

The bill does include text that ostensibly protects privacy, but other text that could allow greater cooperation between the public and private sector on surveillance activities without the need for disclosure. Section 4 of the bill states: 

Requires the federal government and entities monitoring, operating, or sharing indicators or defensive measures: (1) to utilize security controls to protect against unauthorized access or acquisitions, and (2) prior to sharing an indicator, to remove personal information of or identifying a specific person not directly related to a cybersecurity threat.

Section 5 of the bill:

Requires cyber threat indicators and defensive measures shared with the federal government and threat indicators shared with state, tribal, or local governments to be: (1) deemed voluntarily shared information, and (2) exempt from disclosure and withheld from the public under any laws of such jurisdictions requiring disclosure of information or records.

“We must be concerned with both security and privacy, and we must find an effective balance,” says Petersen. “In the face of a large-scale cyber attack, privacy will be irrelevant if we cannot defend ourselves through the effective sharing of threat intelligence. Like it or not, we are entering an age of more persistent cyber threats, and this legislation is about national defense. We should still protect privacy, while also realizing the benefits of sharing across the public and private sectors.”

On a reddit Q&A session hosted by advocacy group Fight for the Future, NSA whistleblower Edward Snowden wrote of the CISA "It's not going to stop any attacks. It's not going to make us any safer. It's a surveillance bill. What it allows is for the companies you interact with every day -- visibly, like Facebook, or invisibly, like AT&T -- to indiscriminately share private records about your interactions and activities with the government."

3. It has bi-partisan support

Tuesday, the bill, sponsored by Sen. Richard Burr (R-NC), with the amendment added by Sen. Susan Collins (R-ME), passed 74-21. The nays were a mix of 14 Democrats, six Republicans and one independent. 

"We are at September 10th levels in terms of cyber preparedness," said Sen. Collins. "In light of this continuing state of cyber insecurity, the passage of this bipartisan legislation is a good first step in our effort to bolster our nation’s cyber defenses."

4. Amended CISA may create new regulation

The new provisions introduced by Sen. Collins require the Secretary of Homeland Security to develop a strategy to mitigate risk of catastrophic attacks to critical infrastructure -- "catastrophic" meaning a single attack that would result in 2,500 deaths, or $50 billion in economic damage, or severe degradation of national security. The amendment also requires DHS to conduct assessments of critical infrastructure at greatest risk of catastrophic attack.

The American Bankers Association applauded the passage of CISA, but expressed concerns about the new amendment, stating "allowing DHS to create cybersecurity standards for critical infrastructure that would have the practical impact of regulation is unnecessary and harmful."

5. It might injure trade and information-sharing across borders

The National Retail Federation, the Retail Industry Leaders Association, and the U.S. Chamber of Commerce all support CISA. Yet could enhanced sharing of information between private businesses and the U.S. government cause entities in other countries to avoid doing business with -- or sharing threat intelligence with -- American businesses? 

According to Yorgen Edholm, CEO of Accellion -- a private cloud services provider that, coincidentally, counts the U.S. Senate among its customers -- "Passage of the Cybersecurity Information Sharing Act isn’t just troubling from a privacy perspective, it’s troubling from an economic perspective as well. CISA is just the latest in a long list of legislations that are stifling trans-Atlantic information sharing, including the recent invalidation of Safe Harbor agreements. If lawmakers continue to discourage international organizations from doing business with US firms, while also intruding on the privacy rights of citizens, they run the risk of jeopardizing the health of the technology sector.” 

Regardless of whether CISA is signed into law, Carl Herberger, a former U.S. Air Force officer at the Pentago and current vice-president of Security Solutions at Radware says that the country needs a privacy law -- not just to protect citizens' privacy, but to protect the economy.

"Without a law governing the human aspect of privacy, people will continue to steal, borrow and monetize this valuable asset until it no longer holds meaning," says Herberger. "Delay of national privacy legislation is directly related to financial loss and national economic competitiveness. Financial institutions will be the great bearers of these costs as consumers demand to have their institutions restitute their damages."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/29/2015 | 2:39:35 PM
Re: Secrecy
If the secrecy is the target then transparency is not really the truth, they will provide transparency in the areas where they would want to mislead the public, not on the subject matter.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/29/2015 | 2:35:44 PM
Re: Secrecy
Agree. If opposition grows that would be the norms they have to go with which nobody wants today. It is not consensus what they are looking for.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/29/2015 | 2:33:43 PM
Re: Separation of Powers
I agree. Separation of powers already available if we do not touch Internet. We will be reading this very soon if we go with this speed.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/29/2015 | 2:31:47 PM
Re: Secrecy
I understand why something has to be done privately, what I do to understand is the fact that this can not be in masses. If it involves more than necessary that is overreaching personal privacy.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/29/2015 | 2:29:25 PM
No need a bill
As we did not need net neutrality bill we do not need this bill either, we have to let Internet work the way it is.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/29/2015 | 10:29:00 AM
Re: Secrecy
@Whoopty. It remains secretive because if it was more public it would definitely incur a greater degree of opposition. Whether this practice is detrimenta or notl thats not for me to decide. I agree with you that the secrecy of this endeavor makes things smell fishy. But what degree of transparency should be provided? I think thats the biggest question.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/29/2015 | 10:24:32 AM
Separation of Powers
I agree with Yorgen. I think this act will endanger exposure from other country's businesses. As, depending on the nature of the business, it endangers their own citizens data. A partnership between the Private and Public sectors is dangerous as its fatal flaw lies in the number of bodies it represents. In direct opposition to another who has the higher authority? I believe many would argue government. This seems like an unfair partnership. If it yields results in terms of threat mitigation I'll hop on board but until concrete evidence is provided that this will be beneficial, I remain skeptical.
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
10/29/2015 | 8:09:59 AM
Secrecy
What I don't understand is why, if these actions are necessary and noble, does it all need to be so secretive? If data gathering is an important part of police work and tracking people online can aid and abet the arrest of dangerous individuals, why does the cooperation between government and the private sector have to be conducted in private?

That suggests that it's not all above board, but by its very nature we cannot know.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.