A growing number of information security and hacking incidents emphasize the importance of improving U.S. cybersecurity practices. But many computer security experts are concerned that the Cybersecurity Information Sharing Act of 2015 (CISA) is unlikely to meaningfully prevent cyberattacks as supporters claim. Rather, it will provide another avenue for federal offices to extract private data without addressing our root cybersecurity vulnerabilities.
The main premise of CISA is that cyber breaches can be prevented by encouraging private companies to share cyber threat data with the government. CISA would extend legal immunity to private entities that share sensitive information about security vulnerabilities—often containing personally identifiable information (PII) about users and customers—with federal offices like the Department of Justice (DOJ), Department of Homeland Security (DHS) and Director of National Intelligence (DNI).
But the Senate cool-down should not let us forget that CISA does not just threaten civil liberties, it could actually undermine cybersecurity. Information security experts point out that existing information sharing measures run by private companies like IBM and Dell SecureWorks rarely prevent attacks like CISA advocates promise. One survey of information security professionals finds that 87 percent of responders did not believe information sharing measures such as CISA will significantly reduce privacy breaches. The federal government already operates at least 20 information sharing offices collaborating on cybersecurity with the private sector, as Eli Dourado and I found in our new analysis through the Mercatus Center at George Mason University.
These numerous federal information-sharing initiatives have not stemmed the tidal wave of government cyberattacks. Another Mercatus Center analysis Dourado and I conducted finds that the number of reported federal information security failures has increased by an astounding 1,012 percent—from 5,502 in FY 2006 to 61,214 in FY 2013. Almost 40 percent of these involved the PII of federal employees and civilians. CISA could therefore have the unintended consequence of creating a juicy and unprepared target for one-stop hacking.
The Office of Management and Budget reports that many of the federal agencies that would be given large data management responsibilities through CISA, like the DOJ and DHS, reported thousands of such breaches in FY 2014. These agencies’ own information security systems are unlikely to become miraculously impervious to external hacking upon CISA’s passing. In fact, the massive amounts of new data to manage could further overwhelm currently suboptimal practices.
The federal government’s information security failures indicate a technocratic mindset that falsely equates the complexity of bureaucracy with the strength of a solution. In reality, the government’s brittle and redundant internal cybersecurity policies actively contribute to their security challenges. The Government Accountability Office (GAO) has reported for years that such overlapping and unclear responsibility in federal cybersecurity policy limits the offices’ ultimate effectiveness. A 2015 GAO investigation concludes that without significant change “the nation’s most critical federal and private sector infrastructure systems will remain at increased risk of attack from adversaries.”
The federal government must get its own house in order before such comprehensive information sharing measures like CISA could be even technically feasible. But CISA would be a failure even if managed by the most well-managed government systems because it seeks to impose a technocratic structure on a dynamic system.
Effective reform will promote a self-organizing “collaborative security approach” as outlined by groups like the Internet Society, an international nonprofit devoted to Internet policy and technology standards. Cybersecurity provision is too important a problem to be inadequately addressed by measures that will fail to improve security.