tadamichi - Fotolia

The CISA bill and the implications for channel partners

Security expert Kevin McDonald critiques the Senate-passed CISA bill, urging channel partners to think carefully about the proposed real-time sharing of their clients' data.

Have you heard about Senate Bill S. 754, the Cybersecurity Information Sharing Act, otherwise known as the CISA bill?  

CISA is purported to help prevent cybercrimes through cyberthreat data sharing. This threat data could be information on an entity or individual attacking a company using a distributed denial of service attack, phishing, or consistent network scanning. The threat data could also help discover zero-day vulnerabilities or monitor terrorist groups. The possibilities for different types of threat data are endless.

Here's how CISA defines the term cybersecurity threat: "An action, not protected by the First Amendment to the Constitution of the United States, on or through an information system that may result in an unauthorized effort to adversely impact the security, availability, confidentiality, or integrity of an information system or information that is stored on, processed by, or transiting an information system."

Let's keep in mind that what is or isn't protected by the First Amendment is often up for debate and based on context.

The Senate's passing of the CISA bill means the House of Representatives and Senate both have passed what I would term "feel good" cybersecurity surveillance bills. For the bills to become law, the House and Senate must reconcile -- combine -- CISA with the House's two security information sharing bills: The Protecting Cyber Networks Act  and the National Cybersecurity Protection Advancement Act  of 2015. If they can come to an agreement -- which is highly likely considering the similarities and current terror environment -- CISA will become law.

There are plenty of implications for channel partners, particularly those that the government compels to share data.

Cybersecurity bill: A push to monitor networks, share data

CISA will basically allow, encourage and even push companies to monitor their networks and others' networks, with permission, and then capture threat data to share. It will encourage the capturing of massive amounts of information, likely including personal data, traversing those networks without significant limitation. The data will then be shared with a litany of information-gobbling companies and government entities. The voluntary nature of the bill is also somewhat dubious, as it is likely that "participation" in receiving data from the program will likely require sharing of data, as well.

I am a huge supporter of the need for good intelligence for our government to understand the world around us. I believe that the sharing of valuable threat data is critically important. However, there are far more fundamental data security protocols that are being flagrantly ignored by our government and businesses which put us in far greater peril.

Threat data is useless without context and, more importantly, without diligent action. Data means nothing if those receiving the data ignore them, and most organizations receiving "threat data" do little to nothing to act on defense. What CISA will create is the free flow of data to an already bloated organization. It will also allow for the sharing of that data without any public check on who receives the data, where the data goes or how the data is used.

When a data-hungry organization says a data-gathering proposal is a bad idea, it is generally a really bad idea.
Kevin McDonaldexecutive vice president and director of compliance practices at Alvaka Networks

CISA's sponsors claim it's about sharing cyberthreat data. The problem is the schizophrenic nature of threat data sharing. On the one hand, government entities like the U.S. Secret Service's Electronic Crimes Task Forces  and the United States Computer Emergency Readiness Team (US-CERT), as well as many private companies, have been sharing threat data for a long time. On the other hand, many entities resist sharing data. Security organizations often choose not to share because having the best Malware and vulnerability database is a competitive advantage. Companies and consumers refrain because it may embarrass them, cause a lawsuit or interfere with ongoing investigations. Those in law enforcement and intelligence often don't share because it might inform otherwise ignorant criminals to be copycats or change their behaviors, which makes identifying and capturing them more difficult.

If this legislation was only about the government being required to share the information it possesses with the public, I would be all in on this bill. Unfortunately, it is not even primarily about that issue. It's more like taxes: You send the government 40 cents of every dollar; they shave off 30 cents for their bloated operations and send back 10 cents for us to spend. CISA, in a similar fashion, will provide almost zero return on the incredible amount of data it seeks to collect. Indeed, the CISA bill pushes the Department of Homeland Security (DHS) to collect massive amounts of potentially sensitive information from civilian entities. It then obligates DHS to freely share that information -- in near real time -- with many other government entities it doesn't even want to share with.

The government has consistently shown that it cannot control its insatiable appetite for information on what Americans are doing and with whom they are associated. The government has also consistently shown it cannot be trusted to protect the data in its possession from snooping and outright theft by insiders and external forces. Forgetting the significant potential abuses by nonsecurity missioned parts of the government, the inability to protect even data identified as "secret" and the personal data of federal agency employees, such as those at the Office of Personnel Management, makes this law's claimed benefits moot.

A DHS Office of the Inspector General (OIG) report points to a worsening data protection environment: "As of June 2015, DHS had 17 systems classified as 'Secret' or 'Top Secret' operating without [authorities to operate] ATOs. Without ATOs, DHS cannot ensure that its systems are properly secured to protect sensitive information stored and processed in them."

DHS opposes CISA language

DHS, meanwhile, has spoken in opposition to the Senate bill's language. DHS Deputy Secretary Alejandro Mayorkas, in response to questions from Sen. Al Franken, stated: "The authorization to share cyber threat indicators and defensive measures with 'any other entity or the Federal Government,' 'notwithstanding any other provision of law' could sweep away important privacy protections, particularly the provisions in the Stored Communications Act  limiting the disclosure of the content of electronic communications to the government by certain providers."

When a data-hungry organization says a data-gathering proposal is a bad idea, it is generally a really bad idea. DHS recommended limiting the provision in the CISA bill regarding the authorization to share information. The agency requested to limit sharing to only the DHS capabilities within the National Cybersecurity and Communications Integration Center. I also strongly support this change being implemented during reconciliation. In addition, the bill should incorporate the principles of the Freedom of Information Act (FOIA), a liability clause that addresses data loss and language that anticipates an OIG audit. The compromise bill should lift the veil covering the government's data-collection approach.

In addition to privacy concerns, the breadth of agencies that will receive data will cause a massive disconnect and decentralization of data analysis. Deputy Secretary Mayorkas went on to say that CISA would "undermine the policy goals that were thoughtfully constructed to maximize privacy and accuracy of information." You can read the Mayorkas letter here.

The bill's sponsors claim that the information will be anonymized. The problem is they provide no mechanism to require or verify the anonymization beyond generic statements and future policy. CISA also provides full immunity for those who share the data improperly or fail to protect the data from breaches. This law neuters privacy protections and FOIA checks and balances under the guise of cybersecurity. This absence of liability marks a tectonic shift regarding the right of the government and corporations to share citizens' information.

I am a huge supporter of cyberdefense and strongly support legitimate government ventures to protect systems and information. I do not, however, support government adventures into capturing unlimited private information for the possibility that they might someday need it for some obscure investigation. CISA, for all intents and purposes, is a political tool designed to convince the nontech savvy public that our do-nothing Congress is finally doing something about cybersecurity. It also appears to be a wonderful gift to those who desire to have unfettered access to the personal data being gathered by the likes of Facebook, Google, MasterCard, Visa and other mass collectors, without accountability or liability.

Some proposed very positive privacy provisions requiring, for example, the careful stripping of identifiable information were removed or otherwise defeated because the bill's authors claimed that getting real-time data is critical. Nothing in the CISA bill would have prevented any of the most recent notable attacks. The truth is many hacks happen to companies that received advanced notice of a known system configuration, vulnerability or technique and have failed to defend against them. Others may even have indicators in their systems that show the obvious activity, but they don't have the professional resources to look at and act on the data. While zero-day attacks and new techniques are growing in frequency, their use is actually rare compared to known vulnerabilities and techniques being leveraged. 

I have been a strong, public critic of the lack of sharing by the government of what it knows about active and past crimes that have occurred. I have successfully pushed to get access to law enforcement and other government information. I am a major proponent of the inclusion of vetted organizations and individuals in threat information sharing programs because the sharing of genuine threat information amongst security professionals is critical. On occasion, sharing helps to limit attacks because the act of sharing lets the security community know about recent techniques and events so they might prevent similar actions.

However, I stress sharing data should not involve the government beyond narrowly defined law enforcement functions. Cybersecurity is not the mass gathering of personal data that is then shared wholesale across private industry and within the various unrelated government divisions. This is CISA's reality, and the law contains little or no protections for individuals whose information is being captured. It further eliminates the ability to understand how and by whom individuals' information is being used because it effectively kills FOIA in relation to data caught up in the CISA net. The bottom line: Surveillance is being sold to the public as security.

Prepare to confront the CISA bill

As integrators; value-added resellers; managed service providers; managed security service providers; and others who gather, access and protect incredible amounts of client data, we are going be confronted by this reality. As service providers, we monitor, have access to and are responsible for systems across the economy. Some providers -- not this one -- may actually be forced to share the data that is captured if the government holds such sharing out as a requirement in a contract or other purchasing mechanism.

It is my suggestion that as providers, it will be best to make a stand one way or the other on how you will handle sharing requests. You may have to decide the priority: Client privacy rights and non-disclosure or sharing information in real time to help stop the next attack. I take option one. For me, delivering threat data more slowly -- as opposed to in real time -- to ensure no private data is passed is paramount.

Next Steps

Cybersecurity concerns fuel the managed security services market.

Reports highlight major security issues for small and medium-size businesses.

Kevin McDonald: Why are you still doing break/fix services?

Dig Deeper on Managed network security services