“Under the guise of ‘sharing threat intelligence,’ this bill allows companies to wholesale collect what is known as a ‘cyber threat indicator’ and pass it along for review to determine if it is a threat, or if the U.S. government has knowledge of the indicator,” he said.
Justin Harvey, CSO, Fidelis Cybersecurity
Harvey noted that a number of proposed amendments that sought to tighten privacy provisions – one by Sen. Al Franken (D-Minn.) would have required a strict definition of “cyber threat indicator” – failed to pass.
The failure of that amendment, he said, “means that companies, and the U.S. government, can determine, on the fly, what a cyber threat indicator is.”
He said that leaves the matter wide open, to the point that government could decide that even an encryption key is a threat. “With no definition of what these indicators are, government can decide what is relevant,” he said.
That concerns David Williamson, vice president of professional services at MetricStream, as well. The incentives in the bill, he said, are for companies, “to pass information about people that can't be proven not to be threat indicators – did we all follow that? – to the DHS and then to the NSA, where it will be linked to other information the feds keep on its citizens.
“Once aggregated, linked and shared among the various federal agencies, there are no limits to the purposes for which this information can be used,” he said.
Evan Greer, campaign director of Fight For The Future, said in a prepared statement that the data collected will, “inevitably be used to investigate, prosecute, and incarcerate more people, deepening injustices in our society while failing to improve security.”
Evan Greer, campaign director, Fight For The Future
And Ben Desjardins, director of security solutions at Radware, said CISA could even undermine security. The collection and hoarding of threat data by a government that has failed to protect its own workers’ privacy (a reference to the catastrophic hack of the Office of Personnel Management last year that compromised the personal information of an estimated 21.5 million current and former federal workers), he said, will, “expand the attack surface and create a high target treasure trove of data.”
Sen. Dianne Feinstein (D-Calif.), vice chairwoman of the Senate Intelligence Committee and a sponsor of CISA, has complained a number of times that the bill’s opponents had been “spreading misinformation” about it. She said, before the Senate’s 74-21 passage of the bill in October, that it had gone through a number of iterations to add “substantial” privacy provisions.
But privacy advocates like the Electronic Freedom Foundation (EFF) continue to insist that the final bill, “does not fix any core privacy concerns.”
Sign up for Computerworld eNewsletters.