Is CISA gift-wrapped for hackers and nation-state actors?


It seems that every time there is a data breach at a company or government agency, Congress's knee-jerk reaction is to call for information-sharing legislation. However, the most prominent breaches, like those at JPMorgan, Home Depot, Sony Pictures, Anthem and more recently at the Office of Personnel Management (OPM), and approximately 90 percent of all attacks in general, are the result of poor digital hygiene, and information sharing would not have done a thing to stop them.

Lawmakers are missing an important point in their rush to pass information-sharing legislation, beyond the fact that it won't work: Bills like the Cybersecurity Information Sharing Act (CISA) could actually make the situation worse. CISA may not just unnecessarily threaten Americans' privacy; it may threaten our national security as well.

The OPM hack is only the most recent prominent reminder that our federal systems are dangerously weak; it feels like we see evidence of those weaknesses in the news weekly. Last week, the Government Accountability Office issued a report cautioning that the Department of Defense's (DOD) cybersecurity is so poor that its industrial control systems are vulnerable to Stuxnet-style attacks. Federal agencies run outdated operating systems on their computers, like Windows XP. And in the last year alone, networks at the State Department, the Postal Service and even the White House have been subject to attacks.

CISA authorizes companies to share, with "any federal entity," information about cyber threats, dubbed "cyber threat indicators," including a large scope of personal data that can get caught up in those indicators. This includes sharing with demonstrably insecure entities like OPM, completely unrelated entities like the Environmental Protection Agency (EPA) or the IRS, and DOD and the National Security Agency, both of which have been the subject of recent massive data breaches.

If CISA becomes law as currently drafted, it will mean that federal entities will begin to receive, store and disseminate this sensitive information, even though they have shown themselves to be wholly ill-equipped and unprepared to do so securely.

The agencies that receive cyber threat indicators could be even greater targets for malicious hackers and nation-state actors because CISA's lax privacy protections mean that companies have no meaningful obligation to scrub personal data from threat indicators, and the government is actually forbidden from doing so. This will leave users exposed to countries like China, who have targeted federal networks allegedly for counterintelligence purposes.

Additionally, if CISA works as intended, and poorly secured agencies start receiving well-curated information about cyber threats, those agencies may be targeted even more than they are now. Hackers and nation states may attempt (and could likely succeed at) breaching those networks in order to identify the information that cyber threat indicators should reveal: The targets, tactics and procedures that U.S. industry and government are most aware of and are most prepared to protect against. Access to that information would alert those actors as to whether they should alter their methods to avoid detection, making them more nimble than they are now.

This means that CISA is not only bad for privacy; it's bad for national security, too.

There are many ways other than information sharing that Congress can enhance cybersecurity. It can find ways to incentivize companies and individuals to engage in good cyber hygiene; promote the use of strong encryption; and ensure that federal agencies have the support, resources and expertise necessary to shore up and then maintain the security of their networks. As currently drafted, information-sharing bills like CISA would likely create more problems than they would solve. That is why 71 groups and security experts wrote to the president last week, urging him to veto CISA, and why we urge the Senate to reject it as well.

Greene is policy counsel of the New America Foundation's Open Technology Institute.